Authority Rules
To set Authority on Demand rules, select 1. Authority on Demand Rules from the main menu. The Work with Authority Rules screen appears.
| AOD-Admin JOE Work with Authority Rules RLDEV Type options, press Enter. 1=Select 3=Copy 4=Remove 5=Display Position to . . . X=Select for Export Subset . . . . . Opt Provider Requester System Auth.by *TRACE AA100 *ALL Trace qwqew *TRACE AA200 *ALL Trace wrwr *TRACE EVGTST *ALL Trace test *TRACE VICTOR *ALL Trace self trace test ALEX3 LOWUSR *ALL Swap aaaaa ALEX3 TEST *ALL GlbSpc test AV QSECOFR *ALL Swap test EVGPRVD *ANY *ALL Add WEWRWR EVGPRVD EVGTST *ALL Swap Evgeny test EVGPRVD LOUSRRX *ALL GlbSpc Low user for 26 min only FRANCE *ANY *ALL Add Check mail to French provider FRANCE OD *ALL Add asd More... You can define regular or Emergency rules. Rules that require Approval displayed in column 'Auth.by' in white. F3=Exit F6=Add New F7=Add Emergency F8=Print F12=Cancel |
The body of the screen contains a line for each existing rule. Each line contains the following fields:
Provider
The username providing the expanded authority. For a rule that only traces activity rather than changing authority, set this to *TRACE.
Requester
The username requesting the expanded authority. To make the rule available to anyone, set this to *ANY.
System
The system on which this rule can be run. To allow it to run on any system, set this to *ANY.
Auth by
How authority is provided, as shown in more detail for the Provide Authority by field on the Add Authority Rules screen, shown below. The values shown here correspond to values in that field:
- Add: Add authority
- GlbSpc: Add *SPCAUT globally
- Swap: Swap profile
- Trace: Trace activity but do not change authority
- AddSpc: Add *SPCAUT by session
(Unlabeled: Description)
A free-form description of the rule.
To copy a rule, see Copying Authority Rules.
To export a rule, see Exporting Authority Rules.
To add a rule, press the F6 key. The Add Authority Rules screen appears.
To add an emergency rule, press the F7 key. The Add Authority Rules screen appears with a red banner saying *Emergency Use Only*. Only user profiles with emergency operator authority (as shown in Operators) are allowed to change emergency rules.
To modify a rule, enter 1 in the Opt field for that rule. The Modify Authority Rules screen appears, which is effectively the same as the Add Authority Rules screen.
| Screen 1/3 Add Authority Rules Requester / *ANY . . . *ANY If GrpPrf: Accept for its members Y Y=Yes Provider / *TRACE . . *TRACE System . . . . . . . . *ALL Name, *ALL Rule description . . . Title of Rule Number of uses left . 90 0-98, 99=*NOMAX Real-Time Approval Request from . . . . . UsrPrf/GrpPrf, *SECADM, *AOD-ADMIN Authentication Authenticate user by . 0 0=No, 1=Pin Code, 2=MFA, 3=Both Pin code. MFA Type. 1=Cell, 2=Email, 3=Both Perform By Session Globally Provide authority by . 1 1=Add authority 2=Swap profile 3=Add *SPCAUT 9=Add *SPCAUT 4=Trace More... F3=Exit F4=Prompt F12=Cancel |
| Screen 2/3 Add Authority Rules Restrictions N=Not Time group (week schedule) IP Address . . . . . . . . Subnet mask: Maximum work time . . . . 30 Minutes, 0=*NOMAX Allow next use after . . . 0 Minutes, 0=Allow consecutive uses Rule becomes active on . . 1/01/01 0:00 Usage is permitted until . 31/12/99 23:59 Inform activity E-mail (mail,mail...) . . *PROVIDER Message Queue . . . . . . *PROVIDER MSGQ name-library More... F3=Exit F4=Prompt F12=Cancel |
| Screen 3/3 Add Authority Rules Intention of Rule Reference ID . . 001 Reason . . . . . Signon Bottom During authority change, user auditing is maximized, Capture is started and SYSLOG message is sent (based on product configuration). F3=Exit F12=Cancel |
The body of the screen includes these fields:
Screen 1/3
Requester / *ANY
The profile of the user who requested the authorization or *ANY. This field is mandatory.
Provider / *TRACE
Type the name of the authority Provider, or press F4 to obtain a list of users for selection. For a rule that only traces activity rather than changing authority, set this to *TRACE. This field is mandatory.
System
The name of a specific system for which this rule will be valid. To make the rule valid for all systems in your organization, set this to *ALL.
Rule Description
A meaningful description of the request for this temporary authorization. This field is mandatory.
Number of uses left
The number of times that this rule can be used. Valid values are from 0 to 98. Set the field to 99 to indicate that there is no maximum.
Real-Time Approval
Request from
The user who approved the request. Possible values include the User or Group profile, *SECADM, and *AOD-ADMIN.
Authentication
Authenticate user by
How to authenticate the user. Possible values include:
- 0 = None
- 1 = PIN Code (as entered below)
- 2 = MFA (as specified below)
- 3 = Both PIN Code and MFA
PIN Code
An added security passcode, a minimum of five digits long.
MFA Type
How the code is sent for Multi-Factor Authentication. Possible values include:
- 1 = Call
- 2 = Email
- 3 = Both Call and Email
Perform
How to add authority
Provide authority by
- 1:Add authority: Adds the Provider’s authorities in addition to the Requester’s existing authorities.
- Current user: Requester
- Object Authorities: Added
- *SPCAUT: Added
- *USRCLS: No change. (Operating system constraints do not allow for changes to *USRCLS.)
- LMTCPB(): No change. (Operating system constraints do not allow for changes to LMTCPB.)
- NOTE: Selecting this option gives the Requester the authorities of the Provider in addition to their existing authority. The original Requester user profile is kept and appears in records and logs.
- NOTE: The Requester cannot be a group profile and the Provider cannot be a member of a group profile.
- 2:Swap profile: Replaces the Requester’s authorities with the Provider’s authorities.
- Current user: Provider
- Object Authorities: Provider
- *SPCAUT: Provider
- *USRCLS: Provider
- LMTCPB(): Provider
- NOTE: Selecting this option also swaps the user name in the records and logs.
- 3:Add *SPCAUT by session: Adds the Provider’s *SPCAUT authorities only to the Requester’s existing authorities. You cannot use this option with SBMJOB.
- Current user: Requester
- Object Authorities: No change.
- *SPCAUT: Added
- *USRCLS: No change. (Operating system constraints do not allow for changes to *USRCLS.)
- LMTCPB(): No change. (Operating system constraints do not allow for changes to LMTCPB.)
- NOTE: The Requester cannot be a group profile and the Provider cannot be a member of a group profile.
- 4:Trace: Trace activity without changing authority
- 9:Add *SPCAUT globally: Globally adds the Provider’s *SPCAUT authorities only to the Requester’s existing authorities. You cannot use this option with SBMJOB
- Current user: Requester
- Object Authorities: Added
- *SPCAUT: Added
- *USRCLS: Provider
- LMTCPB(): Provider
Screen 2/3
Restrictions
These sub-fields restrict the Time Group and IP address range for which the authority rule is valid. If the first, single-character sub-field is set to N, the selection is negated: the rule applies to everything except for the specified values.
Time Group
A named Time Group (as shown in Time Groups)
IP Address / Subnet mask
An IP address range within which the rule is in effect. Press F4 for a list of known IP address ranges.
Maximum work time
The maximum number of minutes for which the rule can be used without re-authorization. If set to 0, there is no maximum.
Allow next use after
The number of minutes that must elapse between uses of the rule. If set to 0, the rule can be used again immediately.
Rule becomes active on
A date and time, in DD/MM/YY and HH:MM format, respectively, at which the rule becomes effective.
Usage is permitted until
A date and time, in DD/MM/YY and HH:MM format, respectively, at which the rule becomes ineffective.
Inform activity
Destinations to inform when the rule is used.
E-mail (mail, mail)
Email addresses to be notified, separated by commas.
Message Queue
The name and library of a MSGQ. The default is the *PROVIDER MSGQ.
Screen 3/3
Intention of Rule
Reference ID
A unique, official ID referring to this rule. This field is mandatory.
Reason
A meaningful description of the rule. This field is mandatory.