System Access Manager User Guide - Midlandinfosys
Assure Security System Access Manager User Guide Version 6.0 1
System Access Manager User Guide Copyright 2019, 2022 Precisely. Information in this document is subject to change without notice and does not represent a commitment on the part of the vendor or its representatives. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, without the written permission of: Precisely, 1700 District Ave Ste 300, Burlington MA 01803-5230, USA. TRADEMARKS The following terms are names owned by International Business Machines Corporation in the United States, other countries, or both: IBM , ibm.com , AS/400 , iSeries , System i , I5/OS , IBM Power System , IBM i, IBMi, OS/400 , DB2 , DB2 Connect , DB2 Universal Database , SP2, Service Pack, QRadar The following terms are names owned by Microsoft Corporation in the United States, other countries, or both: Microsoft, Windows Other names of companies, products or services are the property of their respective owners. See www.precisely.com for information about our valuable trademarks. Getting technical support: Customers with a valid maintenance contact can get technical assistance via Support. There you will find product downloads and documentation for the products to which you are entitled, as well as an extensive knowledge base. Version 6.0.24.00 Last Update: January 2022 2
Contents Preface . 6 Overview. 8 The principles . 8 The simulation mode . 11 The decision process in detail . 11 Concepts and Terminology . 12 Supported IBM i exit points . 17 Installation and license . 18 Accessing the operating menu . 18 The SAM commands . 19 Warning and constraints. 20 Using Assure System Access Manager with the standard or the advanced model . 22 Restoring a SAM configuration model . 22 An introduction to the standard model . 23 More on the standard configuration model . 24 Using the SAM points in the standard model . 25 Controlled operations . 25 Controlling access to the IFS . 28 Controlling DFU access to files with the standard model . 29 Controlling changes of system values using the standard model . 29 Controlling access to critical spooled files . 30 Controlling access to SHELL interpreter (commands STRQSH and QSH) . 31 Using the standard model to control database queries . 32 Three methods to control database queries . 32 The point ODBC REQ . 32 The database monitor and the DBMON point . 33 The query governor and the QRYGOV point . 34 Advantages and drawbacks of the different methods . 35 Using ODBC REQ point to control remote SQL requests over ODBC/JDBC . 35 Using DBMON or QRYGOV to control remote SQL requests over ODBC/JDBC . 35 Controlling SQL database access from IBM i commands in 5250 sessions . 37 Controlling DRDA SQL access to the database . 39 Controlling QSH DB2 access to the database . 40 Additional information . 40 The TRS SQL condition list . 40 IBM i 7.2: Restriction when using DBMON and the IBM i Central management server . 42 The literals in logged SQL queries . 42 Monitoring and controlling file open operations using point OPEN DBF . 43 Follow up database access resource consumption. 44 3
Assure System Access Manager operations in detail . 45 Defining a configuration . 45 Different approaches for setting access decision . 45 Recommendations . 45 A step by step approach for defining/adapting a point and associated controls . 46 Working with SAM points . 47 Point description and attributes . 47 Accessing the list of points (WRKQXPNT) . 48 Creating a point . 50 Special instructions for *CMD points . 51 Access the list of the supported IBM i exit point / Select an IBM exit point . 52 Editing a point . 52 Setting/removing the simulation mode . 52 Setting up access decision at function level . 53 Including the point in a point group . 54 Specifying /accessing guidelines for a point. 55 Changing the status of a point. 55 The technical data . 55 In case you cannot access a point . 57 Working with controls . 57 Accessing the list of controls (WRKQXCTL) . 58 Additional information on the point list. 58 Select controls to display. 59 Control characteristics . 59 Creating a control . 60 Modifying a Control . 61 Duplicating a control . 62 Removing a control . 62 Defining a selection . 62 Defining an action. 65 Working with point groups (WRKQXGPNT). 69 Access the point group list . 70 Additional information displayed in the point group list . 70 Creating a point group . 70 Editing a point group . 71 Displaying a point group . 71 Displaying the list of controls associated with a point group . 72 Removing a point group . 72 Displaying log file entries. 73 Choosing the display sequence . 74 Available options on log entries. 75 Displaying the log entry detail . 75 Access and update the condition lists from the log display . 77 Testing the System Access Manager configuration . 83 Testing a point manually (CHKQXPNT) . 83 Testing a point from log file entries . 83 4
Using Assure Monitoring and Reporting to create SAM reports – the JRN action . 85 An example of a query on the System Access Manager journal . 87 Managing Assure System Access Manager . 88 The administration menu . 88 Managing the log file . 88 Control the log file size using the command RUNQXCHK . 89 Compress the log file (CPRQXLOGE) . 89 Remove entries from the log file (RMVQXLOGE) . 91 Working with SAM values (WRKQXVAL) . 93 The SAM values . 93 Settings for DBMON and SQL statement log . 95 Defining values for OPEN DBF point . 95 Save/Restore/print SAM configurations . 96 Record the current state of the exit points. 96 Save the configuration (SAVQXCFG) . 96 Restore a configuration (RSTQXCFG) . 97 Start the exit points on the restored configuration . 99 Managing the System Access Manager Data Queues . 99 Configuring and using the Session Timeout Manager . 100 Overview. 100 Types of detected inactive sessions. 100 Support for reauthenticating an inactive job . 101 Requirements for using Session Timeout Manager . 101 Authorization requirements . 101 Optional integration with Assure Multifactor Authentication . 102 Accessing the Session Timeout Manager menu. 102 Configuring overview . 102 Shipped rules for Session Timeout Manager . 103 Configuring a rule . 103 Environment changes for the *LCK Timeout action . 106 Configuring global settings for the monitor . 107 Starting the STM jobs . 107 Ending the STM jobs . 108 Displaying the held and locked jobs . 108 Displaying the log of timed out events . 109 Generating a report from the log. 110 Cleaning up the STM log . 115 Verifying the timeout event monitor job is running . 116 Detailed information on supported exit points . 117 SAM vocabulary . 125 Generic vocabulary available for all points . 125 Point specific vocabulary . 126 The SAM models . 129 5
Points . 129 Controls . 130 Condition lists . 133 Implementing the model . 134 Emergency procedures . 135 Procedures . 135 The special case of point QIBM QSO ACCEPT . 135 Examples of SAM commands in the daily and monthly procedures . 136 Daily procedure example. 136 Monthly procedure example . 137 Sending messages to a Syslog console with Assure System Access Manager . 138 Configuration . 138 Message format when sending Syslog messages as SAM action . 138 Message format when using command SNDQXSYLOG directly . 139 How does System Access Manager send mail . 140 How does SNDQXMAIL work. 140 Controlling Assure Security outgoing mail . 141 Using RUNQXCHK to monitor objects . 142 Defining the list of objects to monitor (command WRKQXCHK) . 142 The initial list of objects to check . 142 Preface Assure System Access Manager (SAM) is a feature of Assure Security that controls the access to the server. An electronic PDF version of this document is included in the Assure Security documentation available for download on the Precisely website. In addition to the information in this guide, online help is available using F1 in the SAM screens or command prompts. Document objectives The purpose of this document is to provide IBM i Information System specialists with information needed to configure and use Assure System Access Manager. Prerequisites for the reader This document assumes that the reader has a proficient knowledge of the IBM i operating system environment together with a good understanding of IBM i security concepts. Knowledge of the Assure Monitoring and Reporting feature is also recommended, although not mandatory. Who should use this document This document is first intended for people involved in IBM i information systems and application management, responsible for access security and in charge of the configuration and use of the Assure System Access Manager feature. 6
How this document is organized Chapter 1 is an introduction to Assure System Access Manager, the concepts and the architecture. It describes the way this feature works to control the access to the system. Chapters 2 and 3 present the use of the feature with the standard or the advanced configuration model. Chapter 2 presents the model and the controls it offers whereas chapter 3 is dedicated to the control of database access. Chapter 4 presents the main commands and functions in detail. Commands and functions from the administration menu are detailed in chapter 5. Chapter 6 describes the Assure Session Timeout Manager. Note: This document uses the default names SECOPS and SECOPSEX for the Assure Security product library and the associated secondary library. Replace these names with the Assure Security libraries names on your system. About the figure and screen copies in this document Figures and screen shots are used throughout the document to help you understand and follow the function descriptions and the procedures. They are provided as examples only and they might differ slightly from what you see on your system. 7
Overview Assure System Access Manager is an easy to use feature of Assure Security that controls the access to the server. It offers an additional level of security to the standard IBM i security and covers any kind of access, including: The exit points and the traditional access methods, such as FTP, ODBC, DDM, DRDA, NetServer, etc. The system and the user commands, whether they are issued from a 5250 session or remotely Jobs SQL instructions from the SQE engine Files invoked by the CQE engine Opening of files The Assure System Access Manager feature detects access attempts to the system and determines whether to accept or refuse them and whether to trigger actions and log the decision. For Assure System Access Manager, the verb “Control” is used as if speaking about air traffic controllers who control the planes and regulate the traffic. Assure System Access Manager does not only check or verify a situation or the result of actions; it regulates the access to the system. Using Assure System Access Manager, you can: Create and activate precise and relevant controls on access queries and commands; Define reusable conditions in the controls; Log the access decision and the actions resulting from the controls, thus allowing auditing and monitoring of its activity; Update/adjust the controls in real time without service outage IMPORTANT: Assure System Access Manager does not replace the standard IBM i security by any means. The security it offers applies upstream the standard security that IBM i offers at object level. It can therefore block powerful profiles like those that have *ALLOBJ special authority. The principles The decision of Assure System Access Manager (SAM) to accept or refuse an access attempt that it detects is based on the definition of SAM points and controls. In Assure System Access Manager, the base concept is the point. SAM points define a category of events that System Access Manager can control using the IBM i exit point it is based on. By configuring and activating points, you determine the scope of Assure System Access Manager, i.e. the list of events that Assure System Access Manager can control. For example, the point CHGSYSVAL controls the usage of the CHGSYSVAL command. 8 When an event occurs that corresponds to an activated point, Assure System Access Manager decides whether to accept the event or not, whether to log the event or not,
and whether to launch action(s). These decisions are based on the point definition and on the definition of controls associated with the point. A SAM control can be considered as a rule. It includes: o o o o A selection, used to know whether the control is applicable to the event An access decision, Accepted or Refused, to apply if the control is selected for the event A decision to log the event (Y or N) when the control is selected Optional actions to be launched when the control is selected Assure System Access Manager makes the decisions to accept or refuse the event, log the event and launch actions based on the analysis of the controls associated with the point involved. It searches for the controls with a selection that matches the event details. o If it finds one, the control access decision and log decision apply, and the actions defined in the control are launched. See the next section for a detailed description of the control selection process, the decision process and the selection of actions to launch. o If there is no control associated with the point or no control with a selection corresponding to the event, then the access and log decision defined at point level apply and the action defined in point definition, if any, is launched. These are the default access decision, the default log decision and the default action. The SAM points work as the IBM i exit points. Assure System Access Manager supports three types of points: The points associated with an IBM exit points (see “Supported IBM i exit points” below), defined to control events received by IBM i host server and TCP server applications. The points defined for the control of commands NOTE: Points defined for the control of commands are based on the IBM exit point QIBM QCA RTV COMMAND (RTVC0100) or QIBM QCA CHG COMMAND (CHGC0100) The database monitor (DBM) point to analyze the access to files Configuring Assure System Access Manager consists in defining SAM points and controls: The point list determines the scope of Assure System Access Manager and the default access decision, log decision and action for the events controlled. The controls determine for which events the default access and log decisions do not apply and which actions are launched in this case. The decision/action engine of Assure System Access Manager is entirely based on the definition of points and controls. In the control definition, control selections are based on Assure Security condition lists, in order to adapt access controls without modifying the decision engine: changing the Assure System Access Manager behavior for an event is done by modifying the content of the condition lists involved. Refer to the document Common Functions and Tools in Assure Security for details on the Assure Security condition lists. 9
The figure below shows how Assure System Access Manager uses the different elements of its configuration to control the access to the system. The Assure System Access Manager decision center is made up of the SAM log and the condition lists: the Assure System Access Manager administrator looks at the SAM log screen to follow the Assure System Access Manager activity, access the details of the logged and refused access attempts, and eventually adapt the Assure System Access Manager behavior to specific events by adding/removing entries in condition lists. 10
Example In a configuration based on the standard model for Assure System Access Manager, any FTP access to DB2 files are refused by default; these access are logged as refused (FTP REQ point definition). If PETER attempts to access the DB2 file MYLIB/CUSTOMER using FTP, his attempt is refused and logged. If an entry corresponding to this FTP access is added to the condition list ACC DB2, next time PETER tries to access MYLIB/CUSTOMER using FTP, the access will be accepted and won’t be logged. The simulation mode The Assure System Access Manager decision to refuse an access attempt to the system can be “simulated”. With the simulation mode, the access attempt appears in the log file as refused (simulation), but the operation is not really blocked. The use of the simulation mode is defined at SAM point level, i.e. per event category. Using the simulation mode allows building access control rules without impacting the end users. Example In a configuration based on the standard model, the point FTP REQ is configured in simulation mode by default. If MARY attempts to get the DB2 file MYLIB/INVOICE using FTP, the read access attempt to the file MYLIB/INVOICE is logged as “refused” if it does not correspond to any entry in the ACC DB2 condition list (see the previous example). The SAM administrator sees the operation in the log file as a “refused (simulation)”. However, Assure System Access Manager has not blocked the operation and MARY can get the file MYLIB/INVOICE successfully. The refuse decision in the log file is for simulation only. If an entry corresponding to this FTP access is added to the condition list ACC DB2, next time MARY will try to get the file MYLIB/INVOICE using FTP, the operation will be accepted and won’t be logged. This won’t change anything for Mary, but the SAM administrator will not see the corresponding operation as a refused operation in the SAM log any more. The decision process in detail The Assure System Access Manager decision process is based on the decision defined in the point and in the controls associated with the point. There are two different types of controls: Controls with an access decision, which are defined to contribute the decision process Controls without decision defined; these controls are used to launch actions and/or log the event when selected for an event When an event triggers a SAM point, the controls associated with the point are analyzed to determine the access decision and the log decision, and launch actions if any. 1. In a first stage, the controls with an access decision are analyzed in control priority order; controls with the lower priority being analyzed first. a) For a given priority level, System Access Manager looks for the controls with a selection that corresponds to the event; if it does not find any, it analyzes the controls with next priority. 11
b) If at least one control is selected, there are three different possibilities: i. Only one control has been selected: the access decision and the log decision defined in the control apply System Access Manager launches the action(s) defined in the control ii. Several controls are selected and at least one of the selected controls has a “refused” access decision: The access decision is “Refused”, System Access Manager launches the actions and logs the event as defined in the first control found with a ‘refused’ decision. iii. Several controls are selected, and they all have an “accepted” access decision: The access decision is “Accepted” System Access Manager launches the action(s) and logs the event as defined in the last selected control. c) Finally, if no control
For Assure System Access Manager, the verb "Control" is used as if speaking about air traffic controllers who control the planes and regulate the traffic. Assure System Access Manager does not only check or verify a situation or the result of actions; it regulates the access to the system. Using Assure System Access Manager, you can:
For information about the other Access Manager devices and features, see the following: Novell Access Manager 3.1 SP5 Administration Console Guide Novell Access Manager 3.1 SP5 Identity Server Guide Novell Access Manager 3.1 SP5 Policy Guide Novell Access Manager 3.1 SP5 J2EE Agent Guide Novell Access Manager 3.1 SP5 SSL VPN Server Guide
Identity, Credential, and Access Management (ICAM) Identity Manager User Guide - Access Role User: OCIO MobileLinc_IT-Support-OCIO-IT 5 P a g e USDA For Official Use Only 2. Log into Identity Manager 2.1 Access the Identity Manager User Interface To access EEMS Identity Manager, go to the following URL: https://www.eauth.usda.gov
01 January 31, 2019 First release of the IDPA System Manager 18.2 Administration Guide. Related Documentation For information about IDPA System Manager compatibility, refer to the IDPA System Manager Release Notes. The IDPA System Manager documentation set includes the following publications: l IDPA System Manager Getting Started Guide
In an Avaya Infrastructure System Manager can be the "CA" System Manager can serve as the certificate authority for Avaya servers. System Manager provides signed certificates for Session Manager, CM, SBC, etc. Customers can use a public CA. In this case System Manager becomes a subordinate CA. System Manager C/A Chris Chris
ShoreWare Call Manager Manual 1 C HA PT ER1 Introduction 1.1 Call Manager Description Call Manager is the ShoreWare client application that manages a user's calls, voice mail, and personal system settings through a graphical user interface. 1.2 Call Manager Types Five Call Manager types span the complete Call Manager feature set. Several Call .
of Astec Industries, Roadtec and Peterson Corp. product lines. Rich Dupuis, Service Manager Kevin Carlson, Parts Manager Karl Schaffeld, Territory Manager Ed James, Territory Manager John Hamlin, Territory Manager Boise, ID Jim Sandercock, Branch Manager Keith Moody, Parts Manager Ryan Rowbury, Territory Manager
You can now access all Enterprise Manager console dashboards (out-of-box and user-defined) from the Enterprise Manager Mobile application. For more information, see Access Enterprise Manager Dashboards. Before You Begin. What you need: Enterprise Manager Mobile requires the following Enterprise Manager Cloud Control 13c minimum configurations:
Devices in ST’s ARM Cortex‑M0‑based STM32F0 series deliver 32‑bit performance while featuring the essentials of the STM32 family and are particularly suited for cost‑sensitive applications. STM32F0 MCUs combine real‑time performance, low‑power operation, and the advanced architecture and peripherals of the STM32 platform.
