Restricting privileged users to specific devices and limiting sign-on attempts

The sign-on system values are used to both restrict or limit the devices to which a user can sign on and to define the number of system sign-on attempts allowed.

Restricting privileged users to specific devices

The IBM® i licensed program uses the sign-on system values to restrict or limit the devices to which a user can sign on. All object authority (*ALLOBJ) allows the user to access any of the resources on the system. Service special authority (*SERVICE) allows the user to perform specific service functions on the system. For example, the user with this type of authority will be able to debug a program, and perform display and alter service functions. To set these values using System i® Navigator, follow these steps:

  1. Select your system > Network > Servers > TCP/IP.
  2. In the right pane, right-click Telnet and select Properties.
  3. On the Telnet Properties - System Sign-On page, select the following options:
    • Restrict privileged users to specific devices. This selection indicates that all users with all object (*ALLOBJ) and service (*SERVICE) special authority need explicit authority to specific workstations.
    • Limit each user to one device session. This selection indicates that a user can sign on only at one workstation. This does not prevent the user from using group jobs or making a system request at the workstation. This reduces the likelihood of sharing passwords and leaving devices unattended.

Limiting sign-on attempts

Use the sign-on system values to define the number of system sign-on attempts allowed. The number of Telnet sign-on attempts allowed increases if you have virtual devices automatically configured. To set these values, follow these steps:

  1. In System i Navigator, select your system > Network > Servers > TCP/IP.
  2. In the right pane, right-click Telnet and select Properties.
  3. On the Telnet Properties page, click the System Sign-On tab.
  4. On the Telnet Properties - System Sign-On page, you can specify the number of sign-on attempts allowed and the action to take if the maximum number of sign-on attempts is reached.
  5. Click the Remote tab.
  6. On the Telnet Properties - Remote Sign-On page, select an option for Use Telnet for remote sign-on. The options are:
    • Always display sign-on - All remote sign-on sessions are required to go through normal sign-on processing.
    • Allow sign-on to be bypassed - The system allows the user to bypass the sign-on panel. The user is still signed on to the system, but the sign-on panel is not displayed.
    Note: If Use Pass-through for remote sign-on is enabled, the options are selected automatically based on the settings you specify for Use Pass-through for remote sign-on. Telnet is still available for remote sign-ons if you select Pass-through.