The Add Rule wizard creates a rule for a category using the values you select and default values for the selected rule category.
We recommend that you create rules and validate that they perform as you expect before using the rules in your production environment.
To add a rule:
- On the Rules page, click Add Rule.
-
The Add Rule wizard opens. On the Category panel, select the category of rule to add. The following options are available:
- Telnet - Rules to authenticate user profiles when they sign on to the IBM i system.
- Server Access - Rules to authenticate users when using applications to access server connections such as FTP, ODBC, JDBC
- SQL Access - Rules to authenticate users when accessing files using SQL commands
- File Access - Rules to authenticate users when accessing files using the IBM i Data File Update Utility (DFU)
Specify the rule name, description and priority. The priority is used by the rules engine when searching for a rule that matches the context of the authentication request. Rules are searched in priority ascending order and the rules engine stops the search after it finds a rule that matches the context of the request. The possible values are between 0 and 8999. Click Next. -
On the Action panel, specify whether the rule will allow, deny or challenge the user's connection request. Select one of the following options:
- Challenge User Interactively
- Challenge User In Listener
- Notify User
- Always Allow
- Always Deny
For more details about these options, refer to the Authentication tab. Click Next. -
On the Authentication panel, specify the authentication method for the rule.
If you selected Always Allow or Always Deny as the Action, no authentication is required.
If you selected Notify User as the Action, fill in the Factor field. The default value is PUSH, denoting a push notification. You can adapt the value based on the configuration of your RADIUS server.
If you selected Challenge User Interactively or Challenge User In Listener as the Action, select one of the following options:
- RADIUS Token - The user receives a RADIUS token generated by an authenticator application associated with the RADIUS server.
- One-time Password (OTP) - The user is sent an on-demand one-time password by email.
- Security Questions - The user is prompted to answer the required number of security questions correctly.
- One-time Password (OTP) + Security Questions - The user is sent an on-demand one-time password by email and is prompted to answer the required number of security questions correctly.
When RADIUS Token is specified as the Authentication method, fill in the following fields:- Display user profile in challenge
- Listener challenge time limit (for the Challenge User In Listener action only)
- Maximum attempts
When One-time Password is specified as the Authentication method, fill in the Email subject and Email body fields.
When Security Questions is specified as the Authentication method, fill in the number of security questions required.
When One-time Password + Security Questions is specified as the Authentication method, fill in the Email subject and Email body fields and the number of security questions required.
For all Action selections other than Always Allow or Always Deny, fill in the Re-authenticate and Log fields.
- Click Next.
-
On the Selection Criteria panel, specify the user and job type information for the rule.
In the Users section, specify the IBM i users or groups to be authenticated by the rule. Select one of the following options:
- All
- Users Only
- Groups Only
- Users or Groups
- Use Distribution List
- Use Condition List
In the Job Type section, select the type of job to which the rule applies:- Match Any - Any IBM i job type
- Batch - An IBM i job type submitted by the user that requires no further user interaction
- Interactive - An IBM i job type that requires user interaction
In the Additional Selection Options section, optionally specify the IP Address and Profile Description to further refine the users selected by the rule.Click Next. - Confirm your choices on the Finish panel and click Finish.