IS WRKSYSVAL SYSVAL (QMAXSIGN) COMMAND USER SPECIFIC OR GLOBAL
Actually I need one commen user id to have mutiple attempts for sign on
I had tried with below command but it updates globally and not for one user
IS WRKSYSVAL SYSVAL (QMAXSIGN) COMMAND USER SPECIFIC OR GLOBAL
pls help
Software/Hardware used:
Software/Hardware used:
ASKED:
February 15, 2008 3:02 PM
UPDATED:
March 13, 2010 2:22 AM
Answer Wiki:
Hi,
QMAXSIGN is global and limits the number of *invalid* sign-on attempts at a device (or terminal session). If you need the user to be signed on to the system at multiple devices then you may need to set the LMTDEVSSN to *NO on the user profile.
Hope this helps,
Martin Gilbert.
To see all answers submitted to the Answer Wiki: View Answer History.
Dear Martin,
Thanks for reverting but my problem is not sign on to system at multiple devices using same ID.
Actually my problem is that I have one common user ID which is used by 1000 users.
But suppose if any one does invalid sign on thrice the ID gets disabled and rest all the users are not able to use the server.
So i wanted to know just like QMAXSIGN is there any command which is specific to user where in I can allow that user n number or multiple sign on attempts.
Please help.
Hi Manojcgupta,
i’m afraid what you want is not possible.
perhaps you should investigate modifying your security policy, because having so much users working with the same ID is not really safe and compliant with actual security requirements.
Have a nice day.
T.
I would agree that having ALL your users signing on with the same ID is definitely not a good idea.
However, if you have to work that way then one thing you could do is change the QMAXSGNACN system value to ’1′ (numeric one). This would mean that the ID is not disabled when a user exceeds the allowed number of sign-on attempts. It will just disable the device.
I wrote an article Watching for Messages — Made Easy for System i News back in 2006 which provides sample programs in CL, RPG, and COBOL to accomplish just this function — have one user profile (WAREHOUSE in my example) enabled even if “too many” invalid signon attemts are made. Basically the program looks for the “profile is disabled” message and, if found, re-enables the user profile.
Bruce Vining
http://www.brucevining.com/
Dear Djac,
Thanks for reverting but again the command QMAXSGNACN is global I need something which is specific to user.
Actually we have one module used for online attendance recording of the all the employees even who don’t use the system for any other work apart from attendance. Only for this module we have created one common user Id.
For other modules we have different user ids with user specific rights.
My problem not yet resolved?
Why do you have a signon at all for this user? Why have a “user” at all?
Just run a program that ‘acquires’ the device and go from there. Completely avoid signons since they serve no purpose in this case (and since they in fact cause problems).
Tom
Vendor response.
I have a product, Profile Manager, which allows you quite a bit of flexibility in this area. You can have some user profiles always re-enabled (*BYPASS mode), some user profiles prompted (at the signon screen after QMAXSIGN has kicked in) with a personal question to verify their identity and, if answered correctly, re-enabled with either a new password or the old password (
Wrong blasted key……………… Continuing where I left off:
(*QUESTION mode), some user profiles re-enabled based on fingerprint verification — not real applicable to your situation (*FINGERPRT mode), some user profiles just left disabled (*NONE mode).
Once started, Profile Manager detects when a profile becomes disabled due to excessive signon attempts and then, based on the profile disabled, helps them recover. The product also takes care of the terminal being varied off due to QMAXSIGN. The product does require that the system be at V5R4 or later.
Bruce Vining
Bruce Vining Services
End vendor response.
There’s an easy way to fix this. Create a CL program that is constantly running in batch that checks – say every ten seconds – to see if the user profile is disabled. If so, it re-enables it and continues running.
PGM DCL VAR(&STATUS) TYPE(*CHAR) LEN(10) Check: RTVUSRPRF USRPRF(user) STATUS(&STATUS) IF COND(&STATUS *EQ '*DISABLED') THEN(CHGUSRPRF + USRPRF(user) STATUS(*ENABLED)) DLYJOB DLY(10) GOTO CMDLBL(CHECK) ENDPGMI have this setup in our TEST environment for users performing QA before promoting to PROD. It is usually just 2 or 3 users with the same test profile:
Use iNav and setup a Message monitor
enter Message ID CPF1393 (Subsystem QUSRWRK disabled user profile …)
Enter CHGUSRPRF for the trigger cmd for the user id and put STATUS(*ENABLED)
I also use SNDBRKMSG to the HELPDESK as the reset cmd so they can monitor its frequency.
Using a single profile for multiple users is worse than having no security.
If you can’t get away from that immediately, create the QSYSMSG message queue in QSYS and write a message queue monitor to re-enable the profile when it becomes disabled.