Record operations performed during the day. If a purge is performed, log which purge, pertinent dates and perhaps how long the purge took.
Record questions and answers about system operations. Who asked about what , the information you gatherer and the ultimate answer. If you worked with someone at MaddenCo, record who it was. If you have the support tracking number, enter it. System messages and solutions can be logged. Again, it is very important to put these notes in the Operator Manual to locate them again easily.
Program error messages and their corrections should be logged.
Clip print keys and other papers to that day’s page to find them quickly or use any way that will help to keep your documents together.
Security
Overview
The AS/400 has five levels of security available. These are numbered 10 thru 50, with increased security as the levels increase: level 10 has no security at all, level 50 is so secure you may not be able to use the system yourself.
We ship the system at security level 20, which is PASSWORD ONLY. We believe this level, along with the following suggestions; provide sufficient security for most of our clients. If, after implementing these suggestions, you think you still need a more secure system, we can recommend a good book that discusses level 30 security. The authors of this book might be able to advise you on level 50, if you believe you need more security.
All levels of security (except level 10) use a password to grant access to the system. If passwords are common knowledge, you might as well set your security level back to level 10. Later we will discuss ways to help keep passwords secret.
Central to setting up a secure system are passwords and authorities stored in user’s profiles, system values, assigned menus and access control records for every Tire Dealer System module. We feel these features will make your system reasonably secure.
User Profiles
In an earlier section of this manual, we discussed creating user profiles (or user ids). Below are some suggestions for additional user profile changes to secure your system.
To access a particular user profile, enter CHGUSRPRF user id and press F4. Enter the user id you wish to change and press enter.
Notice that our user Bud will be signing onto a custom menu by way of the Initial program to call parameter value of PSTARTUP. Also notice that Bud’s Initial Menu has been set to *Signoff. If he attempts to leave his assigned menu, he will be signed off the system.
We can further restrict Bud’s ability to access other menus by changing some additional parameters.
Limit capabilities secure a user to a particular menu when signing on. Setting this parameter to *YES will allow the user to only run options from the menu he is assigned to. The limit capabilities parameter has the following possible values: *NO,
*PARTIAL and *YES. See the following table for how this affects the user:
*NO *PARTIAL *YES
User can change initial menu at sign on yes yes no User can change initial program at sign on yes no no User can change current library at sign on yes no no User can change attention program yes no no User can enter OS400 commands on
command line yes yes no
You can also limit the number of screens a user can be signed onto. Press F10 for additional parameters and roll the screen.
Change Limit device sessions to *yes to restrict the user to a single session.
System Values
IBM system values control different aspects of the operating system. They are accessed with the WRKSYSVAL command.
Some of the system values affecting security are:
QDSPSIGNINF shows additional information at sign on. When this value is set to 1, information is displayed about the date and time this user was last signed on and the number of invalid sign on attempts since the last sign on. This is a good way to see if someone is fishing for passwords.
QMAXSGNACN tells the system what to do if someone is continuously attempting to sign on to your system with an invalid User id or password. We recommend you set this to 3 to disable the device they are trying to use and to disable the user profile.
QMAXSIGN is the number of failed sign on attempts allowed before the above disabling takes place. Be sure to allow a sufficient number of attempts to allow for Monday morning fumbling.
QLMTDEVSSN is the system wide default that determines if a user may be signed on to more than one terminal at a time. A more restrictive value for a particular user can be set on that user’s profile.
QPWDEXPIVT specifies how often users must change their passwords. This can also be set in each user profile; however, we recommend this be set here. 30 to 90 days seems a reasonable time frame.
QPWDRQDDIF requires a changed password to actually be a different word. Set this value to (0 - the default.)
Custom Menus
When you sign onto the system, you are presented with a menu. From this menu you can run programs, go to other menus and usually enter system commands. The menu you see when you sign on is designated in your user profile. We typically set your menu to the Tire Dealer Start menu. From this menu you can go to any menu in our system; however, this might not be advisable for all the users on your system. We include a feature called User Menus with the system. This system allows you to create custom menus using a User Menus Maintenance function (located on the System Menu.)
We recommend you create a custom menu for each function in your company. For example, a different menu could be created for store salesmen, store managers, a credit manager and even one for your company’s president. Just put inquiries and reports on the president’s menu (you don’t want a president to input anything – it would probably be wrong.)
From within the User Menus Maintenance, you can assign each person to a particular menu. At sign on, the user’s profile will point to this customized Menu System entry to locate the proper menu to display.
Details on setting up custom menus can be found in the User Menu manual.
Access control records
The System Menu contains a security feature called Store Access. Each user id must be specifically granted access to individual Tire Dealer System modules at each store in order to use that portion of the programs at a particular location.
Additionally, each Tire Dealer System module adds it’s own level of security thru the use of ACCESS keys. These keys are set up for individual user ids and contain entries for various functions that can be permitted or denied. Further restrictions can be added with the ACCESEXP key. If this Tire System control record is answered with a Y, individual features must be explicitly allowed on a valid ACCESS key or no processing is allowed for that particular user.
See the earlier section on ACCESS for more details.
Operations Window
Users in any Tire Dealer System module can access a pop up menu allowing them to perform simple system functions like reviewing print queues and checking for messages. See the Operations Window section for ways to limit the options offered to specific users on this window.
When Someone Leaves the Company
When an employee leaves the company, you should curtail their access to the system immediately. Your first thought may be to delete their user profile altogether, which will certainly eliminate their use of the system. However, through their day-to-day use of the system their user id has probably created objects (files or spooled reports), which they now ‘own’. You cannot easily delete a user profile if it owns objects. So, instead of deleting the user profile, merely set it to disabled. Use the Status parameter in user profile maintenance (WRKUSRPRF) to change the user’s status to *disabled. See the section on User Profiles for more details on working with user profiles.
Allowing Access to the System for an Outside User
You may want to allow certain people to have very limited access to your system. These limited users may not even work for your company. For example, we have a program that allows your customers to input their own orders into our Order Entry System. (See the Order Entry Module help section on Limited Order Entry for more on setting this up.)
By using the Initial program to call and the Initial menu parameters on a user’s profile, you could create a profile for one of these customers that would execute the Limited Order Entry program as soon as they sign on, then sign them off when they end this program. These users would have no other access to your system.
See the section on User Profiles for help creating a new user profile. For our example we would set:
Initial program to call ……….PTPSLOEW Initial menu ………*SIGNOFF Limit capabilities……….*yes
At this point, we need to press F10, and roll the screen twice to set Attention program to *None
Remember to grant this new user Access and authority to execute this program. See the section on Access for more details.
Final Suggestions
Securing your system is mostly common sense, but here are some reminders, anyway.
All system supplied profiles should have their passwords changed as soon as possible. When the system is shipped, the passwords are set to the user profile name for
QSECOFR, QSYSOPR, QUSER, QSRV and QPGMR. Everyone in the business
(computer business, that is) knows these passwords, so change them. While you’re at it, set these new passwords so they won’t expire (Set password to expire parameter on the user profile screen.) Don’t forget to record the new passwords and store them in a secure place.
Disable user profiles for employees that leave the company. Do it immediately or you may forget. If someone with security administrator authority leaves, be sure to change the passwords for the system supplied profiles (QSECOFR, QSYSOPR, etc.) Again, store the new passwords in a secure place.
Do NOT use the QSECOFR profile as a regular sign on id.
Set up more than one user profile with *SECADM authority. If you are on vacation, someone else may need this authority.
Do NOT leave your terminal signed on when you are away from your work area – EVER. Do NOT disclose your password. Do not write it down on a sticky note stuck to your terminal. Do not use your workstation record and play keys for signing on.
Set passwords to expire. This will remind users to keep the system secure. Typically, when you start up a system, passwords are ‘fun’ to tell each other. This will fade and by forcing a change, the passwords will no longer be common knowledge.
144