File access rules require that an Assure MFA administrator has set up the appropriate authentication environment on the system and in the Assure MFA configuration and that you have valid license keys for both Assure MFA and Assure System Access Manager.
The Add Rules wizard creates a file access rule that requires multi-factor authentication using a RADIUS token to access files using the data file update (DFU) utility. The rule created is based on your selections and default settings for the file access rule category.
To be useable, file access rules require the following configuration activities be performed from the 5250 user interface to set up the authentication environment on the system and in the Assure MFA configuration:
- Required: User profiles to be authenticated must be added to configuration in the MFA User Profiles list. This list maps IBM i user profile names to the user names known to the RADIUS server. See Working with Assure MFA profiles (WRKQAPRF) in the Assure Multi-factor Authentication User Guide for using the WRKQAPRF command to add users manually or by creating and importing a file.
- Required:A System Access Manager (SAM) control for DFU access to files must be configured and active. The control name must be either the same as the file access rule name or use the rule name as a prefix. For example, a control named DFU4 could use rules named DFU4ADM and DFU4OTHER to authenticate. See How to secure DFU interactive access to files using the Four-Eyes principle in the Assure Multi-factor Authentication User Guide.
- Required:Exit point programs for the types of requests requiring additional authentication must be active. See How to configure to secure access to sensitive data in the Assure Multi-factor Authentication User Guide.
- Required: Edit the DFU_FILES condition list to identify the files that require four-eyes authentication and the authorized users. The users identified must be the same as those that the SQL Access rule can authenticate.
- Required:The RADIUS server that will validate tokens must be configured, added to Assure MFA configuration as an authentication server with the WRKQASRV command, and the server must be active. See Configuring Assure MFA for use with RADIUS server and RADIUS passcode in the Assure Multi-factor Authentication User Guide.
Default settings for a File Access rule created using the Add rule wizard use the same values as the template rule X_DFU4ADM with these exceptions: the Additional Authentication field set to Radius Token, and the Send Information field is blank. You can view template rules from the 5250 user interface.