Audit Question – Force user signoff after inactivity

70 pts.
Tags:
AS/400 passwords
AS/400 security
ENDJOB
Password
I am auditing a client and would like to know what setting they should set to have the system log off the user from AS400 after a period of inactivity. Currently, they have setting as QINACTMSGQ = *ENDJOB, but not sure if this would log the user off the system or does it have to be set to *DSCJOB for them to be logged off system?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi,

*ENDJOB will terminate the job and *DSCJOB wil put it in a temporary disconnection state and will be restored when user sign-in again.

Regards,
Wilson

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Toosunneo
    Thank you for the response. I am still not sure whether *ENDJOB will require the user to sign-in again. My objective is to find out what setting the client should have to force users to be logged off after period of activity. Is it *ENDJOB or *DSCJOB?
    70 pointsBadges:
    report
  • DanD
    *ENDJOB will force the user to sign in again, to a new session. This is the desired setting. With the setting at *DSCJOB, in rare instances a user has signed into a disconnected job that had been some other user's login.
    2,865 pointsBadges:
    report
  • Gilly400
    Hi, You should also check whether the applications being used can cope with having their interactive jobs terminated. If you use *ENDJOB the interactive session is terminated, which may cause problems in the application (e.g. certain records may be marked as in use by a user). If you use *DSCJOB this will suspend the interactive session and allow the user to resume the session after signing on again, so the application will continue where it left off. Of course a well designed and written application should be able to cope with sessions being terminated....although I've seen plenty which don't.... Regards, Martin Gilbert.
    23,730 pointsBadges:
    report
  • mcl
    This can get complicated. Timeout on an iSeries is not the same as timeout for other typical applications. Timeout issues for audit considerations generally are based on web-apps - which are stateless - and controlled by the application. Timeout for the iSeries is handled by the O/S. Typical iSeries apps were written around 5250 green-screen terminals - which were not stateless. *ENDJOB ends the user's job and forces the user to sign in. As Gilly says, you need to take into consideration what the user may be doing at the the time. Typically, with 5250 emulation on a Windows workstation, users may have a 5250 session up in the background, usually on an edit screen it seems. Many legacy apps were written to set a "flag" to indicate a file was being edited and that flag gets cleared normally when the user exits from the edit. In cases like that, using the *ENDJOB will not clear the flag which causes other problems. *DSCJOB will not end the job, but it will force the user to re-enter credentials to resume the job. BUT, this ONLY works if the user had signed on from a "named" workstation. To understand the *DSCJOB setting you have to understand how twin-ax terminals were set up and you have to understand how jobs are identified. With a twin-ax terminal, you ALWAYS had the same workstation name and the same workstation address. The workstation name is part of the job identification - as is the user name. The workstation address is part of the job connection. So, on a twin-ax terminal, if a user was disconnected, they could easily reconnect. With emulation programs, such as iSeries Access TN5250, the default is to have the system dynamically generate a workstation name. Those workstation names will typically be QPADEVxxxx (although you can change that at the subsystem level). There is no way that a disconnected job can re-connect with a dynamic name. So, if in QINTER, all of your user jobs have workstation names that start with QPADEV - the *DSCJOB is meaningless. Any dynamically named job will END. For *DSCJOB to work, you need to define workstation names using the "Configure 5250" screen at the client. Assuming you have named workstations, and you specify *DSCJOB for the QINACTMSGQ system value, there is also the QDSCJOBITV system value to consider. This is the interval before disconnected jobs end - and is set in minutes. Users with named workstations can also disconnect themself - by ending thier windows emulation session (File > Exit or click the "X") If they start up the emulation and log in, they will resume thier job normally. However - if a user with a named workstation reboots thier PC, they will be disconnected AND they will NOT be able to sign back in. When they reboot the PC, the workstation address changes. It may have the same IP, but the connection has changed, so you cannot reconnect. Hope this helps. Regards Mike
    2,740 pointsBadges:
    report
  • WoodEngineer
    Check out this article on the optic in SystemiNetwork: http://systeminetwork.com/print/63569
    6,680 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following