User Profile Considerations

The security of your system may be strengthened by making some changes to the user profiles configured to run from the Webulator/400 product. Depending upon your system's security requirements these changes may apply system wide.

Specify "*NONE" for ATNPGM user profile parameter

The ATNPGM user profile parameter specifies the attention key handling program for this user. The attention key handling program is a program that is started when the attention key is pressed. If not properly configured, this program may allow the user to get outside the realm of the initial sign on program specified for the user. If *SYSVAL is specified for this parameter, the attention key handling program set up for all users on the system will be available to the user running through Webulator/400. By specifying *NONE for this parameter using the CHGUSRPRF command, the attention key is disabled for this user. Another way to disable this function is within the Webulator/400 button configuration. However, by doing it through the user profile you are disabling the attention key for the user no matter which URL the user obtains access through.

Revoke authority to SYSREQ (QSYS/QGMNSYSR)

If the user has the ability to invoke the system request (SYSREQ) menu, they have the ability to carry out requests that, from a security point of view, you may not want them to do. For example, they would be able to sign off which would present them with a sign on screen. If you have configured this user profile name to be an auto sign on URL then you may not want the user to be able to get to a sign on screen, allowing them to guess at user IDs and passwords. Or, they would have the ability to view the system operators messages, or send messages to other users on the system, (which, if nothing else may be an annoyance). To revoke the authority to the system request menu, change the authority on the QSYS/QGMNSYSR object.

Set the user profile's limit capabilies (LMTCPB) user profile parameter

The user profile's limit capabilities parameter allows or disallows the user's ability to enter commands and change the initial menu, initial program, or current library during sign on. There are three different values the LMTCPB can be set to: *NO, *PARTIAL, or *YES. *YES is the most limiting and *NO is not at all limiting.

Set the expiration date in the user profile to *NOMAX

When setting password expiration times, you should keep in mind that the AS/400 allows the user to change their password when the expiration time is drawing near (7 days before expiration). It is best to set Webulator/400 users who will be using automatic sign on or user authentication sign on to process password expiration in one of the following ways:

1. Set the password for the user profile of the user to never expire. This can be done using the PWDEXPITV(*NOMAX) parameter on the CHGUSRPRF or CRTUSRPRF commands.
2. Manually change the password for the user prior to the expiration time warning period.