Customizing users and groups

iSeries Access for Web gives administrators the ability to customize user and group profiles via the Customize function. This function allows users and groups the ability to control what functions users can perform and how certain information is presented. When a function is restricted, it is removed from the navigation bar. Restrictions also prevent access to the corresponding servlet. Changing a function tab setting to hide does not restrict access to the function.

Administrators with *SECADM special authority defined in their iSeries user profile can change iSeries Access for Web settings.

Administrators need to understand how policy settings are determined for an individual. Figure 3-40 demonstrates policy enforcement for an individual user profile.

Figure 3-40 Policy flow

Tip: To ensure preferences are applied to a user profile, select Apply setting to profile.

Attention: Policies for a user or group take effect immediately.

User Profile Policy

Group Profile Policy

Administer - supplied user defaults (*PUBLIC profile - UserData policy file) IBM- supplied defaults (*PUBLIC profile - ProdData policy file) Policy Enforced YES YES YES NO NO NO

Customizing User profiles

You can customize User profiles by selecting Customize-> User profile from the navigation bar. A list of iSeries profiles is displayed. Administrators may customize each profile from this location. Figure 3-41 shows the Customize User profile tab.

Figure 3-41 Customizing User profiles

Administrators can perform three actions for each profile:

Edit: Used to create or modify policy settings

Copy: Used to copy all of the policy settings to one or multiple profiles

Reset: Used to remove all policy settings specific to the profile

Within each user and group profile, a “Derived from” column is displayed. Table 3-1 shows the available descriptions for the user profile “Derived from” column.

Table 3-1 Derived from column descriptions

Customizing Group profiles

You can customize Group profiles by selecting Customize-> Group profile from the

navigation bar. A list of iSeries group profiles is displayed. Administrators can customize each group profile from this location. Figure 3-42 shows the Customize Group profile tab.

Figure 3-42 Customizing Group profiles

Important: The copy and reset actions are only available when the user or group profile

currently has policy settings.

Derived from Description

Profile setting Indicates the setting is currently specific to the profile being customized. The setting was previously applied to this profile.

Group - (groupName)

Indicates the setting is not specific to the profile being customized, but is derived from the specified iSeries group profile and the user is a member of this group. *PUBLIC setting Indicates the setting is not specific to the profile being customized. No setting

was found in any iSeries group profile memberships. The setting is derived from the *PUBLIC group settings. This is a special group profile available to iSeries Access for Web administrators. All user profiles are automatically members of this special group profile. Administrators can modify this group profile to easily apply settings to all iSeries Access for Web users.

Shipped default Indicates the setting is not specific to the profile being customize. No setting was found in any iSeries group profile memberships or the special *PUBLIC group profile. The setting is derived from a shipped default value.

iSeries Access for Web includes a configured group called *PUBLIC. This group contains the default settings for all users. All users are a member of this group and cannot be removed. Changes to this group affect all iSeries Access for Web profiles.

For a complete overview of customizing user and group profiles, refer to iSeries Access for Web, SC41-5518.

Disabling all functions with a group profile

By default, iSeries Access for Web has policy settings enabled for all users. It is the

administrator’s responsibility to restrict functions. Customizing the *PUBLIC profile is an easy way to restrict functions to all users. The Group profile *PUBLIC also includes QSECOFR and profiles with *SECADM authority.

Users may want to customize a new group profile to ensure QSECOFR and administrators continue to have access to all functions. The following steps explain this process:

1. Create a new group profile with Operations Navigator. Figure 3-43 shows Groups in Operations Navigator.

Figure 3-43 Operations Navigator Groups

2. Right-click Groups and select New Group. Figure 3-44 shows the required new group information.

Figure 3-44 New Group

3. Enter a group name and provide a description. Then, from the All users box, select a user or users and click Add-> to add the users to the group.

4. To see the new group, go to the iSeries Access for Web Main page and select

Customize-> Group Profile.

Figure 3-45 shows a sample group.

Figure 3-45 Sample group

5. Edit the newly created group.

6. Select a category and edit the policy. Policy settings are grouped by function, with

subfunction policies. To restrict a function, you set the function setting to Deny. You do not have to explicitly deny all subfunctions. Figure 3-46 shows an example of customizing the Files function.