Fact: NetIQ Security Solutions for iSeries v8.0
Fact: Secure Menuing System (SMS)
Goal: How can I secure the product menu options?
Goal: How can I restrict access to certain menu options?
Fix: To change the menu and option authorities within the Secure Menuing System applications, refer to the following instructions.
The user who performs these instructions must be signed on as QSECOFR, PENTA, or a user profile who has been granted 'Authority administrator' rights to Product PSS (or *ALL) via PSMENU, option 70, option 1.
This example makes use of a Group Profile defined in SMS which does not require a corresponding *USRPRF object.
This example also makes use of an Authorization List defined in SMS which does not require a corresponding *AUTL object.
Function key conventions throughout this document:
F3 = Exit
F8 = Add
F12 = Previous
1. To access the SMS menu, starting from PSMENU, select:
a. opt. 2 PSSecure
b. opt. 1 Secure Menuing System
2. Identify the menu ID (upper left corner) and menu option numbers to authorize. Select:
a. opt. 5 Reports Menu
b. opt. 3 Function & Menu Reports
c. opt. 6 Options by Menu
d. Press F12 until you return to Menu & Security Main Menu.
You will refer to report in a subsequent step. The report job name is RPT120, spooled file name is MSMR120P, User Data (USRDTA) is MSMR120.
3. Create a Group Profile in SMS. Select:
a. opt.. 3 User Security & Administration
b. opt. 1 Work With Users
c. Select user *DEFAULT with option 3 (=Copy).
d. In the dialog box "Copy/Delete User Authority", specify a value for New User code (such as SYSOPRGRP), press Enter.
4. Associate User Profiles with Group Profile:
a. On screen MSMB300 (Work With Users), select (with option 1) a user profile to associate with the Group Profile created earlier.
b. Specify the Group Profile, press Enter (watch out for Special Authority = *YES).
c. Press F12.
5. Create an Authorization List in SMS. Select:
a. opt. 2 Work With Auth Lists
b. Press F8.
c. Specify a value for Auth List Code (such as ?PSASAR? for PSAudit System Auditing and Reporting), press Enter.
d. Specify a value for Auth List Descr (?PSAudit/SAR?) and *NO for Public Authority, press Enter.
e. On screen MSTM261 (Authorization List Update), add the Group Profile created earlier to the Authorization List and specify *YES under the 'Func Aut' column for each user. F9 (=Window) can be used to select from a list of SMS Group Profiles and User Profiles.
f. Press Enter.
g. Press F3.
h. Press F12 until you return to Menu & Security Main Menu.
6. Select the Application Code you want to work with. Select:
a. opt. 6 Select Other Application
b. Select the desired Application Code (such as ?PA? for PSAudit).
7. Specify an Authorization List for the desired Function Codes (options). Select:
a. opt. 2 Function/Options Menu
b. opt. 1 Work With Cmds & Programs
c. Scroll or position to desired Function Code (option). Refer to report Options by Menu (MSRP120).
d. Use option 1 (=Select) next to one Function Code (option) to authorize, press Enter.
e. Specify a value for Auth List Code (created earlier), press Enter.
f. Repeat previous two steps as necessary for each option to authorize.
g. When finished, press F12.
8. Specify an Authorization List for the desired Function Codes (menus). Select:
a. opt. 2 Work With Menus
b. Scroll or position to desired Function Code (option).
c. Use option 1 (=Select) next to one Function Code (menu) to authorize, press Enter.
d. Specify *YES for Check Authority (*YES is the shipped default for menus) and also a value for Auth List Code (created earlier), press Enter, then F12 twice.
e. Repeat previous two steps as necessary for each menu to authorize. You should authorize each menu in the chain leading to the authorized options. The report from step 2 can help identify the menu chain.
f. When finished, press F12.
g. Press F12 to return to Menu & Security Main Menu.
9. Change Application to check for authority. Select:
a. opt. 1 Applications Menu
b. opt. 3 Update Application
c. Specify *NO for 'Display Non-Auth'.
d. Specify *YES for 'Check Authority'
Similarly, you may want to create other SMS authorization lists and group profiles and change other SMS Applications, such as PS and PD, to specify the authorization list, *NO for 'Display Non-Auth', and *YES for 'Check Authority'.