How do I stop users from accessing a specific IFS directory from their Windows Explorer using RRM? (NETIQKB45864)

  • Document ID:7745864
  • Creation Date:02-Feb-2007
  • Modified Date:08-Oct-2007
    • Micro Focus Products:
      Security Solutions for iSeries

Resolution

goal
How do I stop users from accessing a specific IFS directory from their Windows Explorer using RRM?

fact
VigilEnt Security Agent for iSeries 7.5

fact
Remote Request Management (RRM)

fix

When accessing a directory in an IFS share, the LISTATT and ALLOCON operations from the FILE server are used. This traffic comes through the QIBM_QPWFS_FILE_SERV exit point.

Note: The QIBM_QPWFS_FILE_SERV exit must have our exit program installed and be in Secure mode for user access to be rejected.

To make sure that certain users cannot access certain directories on the IFS share, you must first create Secured Entries which allow users access to the FILE_ALLOCON and FILE_LISTATT operations.  

  1. From PSMENU, take Options 2 PSSecure, 3 Remote Request Management, and 1 Work with Secured Entries.
  2. Then, press F6 to add an Secured Entry.

Please note the following example Secured Entries:

NW0056T1          Create Secured Entry                    16:04:22   2/14/2005
Testsys                                                        Add

User . . . . . . . . . . . . . . TEST       + Name, :Group, *PUBLIC
Network  . . . . . . . . . . . . *ALL       +                            
Operation  . . . . . . . . . . . FILE_ALLOCON            +                    
Object Path  . . . . . . . . . . *NONE                                        
Action . . . . . . . . . . . . . *PASS   + *PASS, *FAIL, *OBJLIST, cal     
Swap Profile . . . . . . . . . .              Name                            
Enabled Status . . . . . . . . . Y +          Y, N                            
Delete Collected Entry?  . . . . Y +          Y, N                             
 

NW0056T1          Create Secured Entry                    16:04:22   2/14/2005
 Testsys                                                       Add

User . . . . . . . . . . . . . . TEST    .
;   + Name, :Group, *PUBLIC    
Network  . . . . . . . . . . . . *ALL       +                      
Operation  . . . . . . . . . . . FILE_LISTATT            +          
Object Path  . . . . . . . . . . *NONE                               
Action . . . . . . . . . . . . . *PASS   + *PASS, *FAIL, *OBJLIST, cal    
Swap Profile . . . . . . . . . .              Name                     
Enabled Status . . . . . . . . . Y +          Y, N                       
Delete Collected Entry?  . . . . Y +          Y, N                          
   

You can also setup access to these operations by using more generic rules. This is dependent upon your specific configuration of RRM.

To use the generic rules:

  1. Ensure that users have access to the ALLOCON and LISTATT operations.
  2. Create a new Secured Entry with the LISTATT operation and the specific IFS directory.
  3. Set this Secured Entry up to fail as shown in the following example.

NW0015B                   Work With Secured Entries       13:14:19   2/21/2005
 Testsys                                                       Add

User . . . . . . . . . . . . . . TEST       + Name, :Group, *PUBLIC       
Network  . . . . . . . . . . . . *ALL            +                          
Operation  . . . . . . . . . . . FILE_LISTATT            +                   
Object Path  . . . . . . . . . . /TESTDIRECTORY                            
Action . . . . . . . . . . . . . *FAIL      + *PASS, *FAIL, *OBJLIST, cal   
Swap Profile . . . . . . . . . .              Name                            R>Enabled Status . . . . . . . . . Y +          Y, N     

.


Additional Information

Formerly known as NETIQKB45864