The Advanced tab fields identify programs and commands to be run when the rule is selected by the MFA rules engine to authenticate a request.
When a field or value has a different name than its 5250 user interface equivalent, the 5250 name is shown in parentheses () at the end of the description.
Message
Identifies the message to display in the authentication challenge. When the rule's Action is Challenge User Interactively, the specified message is displayed on the MFA Authentication screen. When the Action is Challenge User In Listener, the message is displayed in the configured listener's screen. (5250 field: MSG (lib/msgf/id))
- None - No message is displayed.
- Specify - When selected, the following fields identify the message to display and its location on the system.
Field | Description |
ID | Identifies the message ID. The message ID must be 7 characters in length. The first character must be an alphabetic character. User-defined messages must begin with 'U’. The next 2 characters can be any alphanumeric characters. The last 4 characters must consist of numbers ranging from 0 through 9 and characters ranging from A through F. |
File | Identifies the message file name. The first character must be an alphabetic character or one of the following: $, #, or @. The remaining 9 characters may be a combination of any alphanumeric characters and the characters $, #, @, _ (underscore), . (period). The value *IJRN is also allowed. |
Library | Identifies the library containing the message file. The first character must be an alphabetic character or one of the following: $, #, or @. The remaining 9 characters may be a combination of any alphanumeric characters and the characters $, #, @, _ (underscore), . (period). The value *IJRN is also allowed. |
Hosted initial program
Identifies the program and library of a hosted initial program. The specified program is invoked after the user profile is authenticated. This field is only displayed for Sign-On rules.
- None - No initial program is invoked.
- Specify - When selected, the following fields identify the name and location of the hosted initial program.
Field | Description |
Program | Identifies the initial program to be invoked. The first character must be an alphabetic character or one of the following: $, #, or @. The remaining 9 characters may be a combination of any alphanumeric characters and the characters $, #, @, _ (underscore), . (period). |
Library | Identifies the library containing the initial program. The first character of the library name must be an alphabetic character or one of the following: $, #, or @. The remaining 9 characters may be a combination of any alphanumeric characters and the characters $, #, @, _ (underscore), . (period). |
Commands
The following fields display the IBM i commands to send messages to users, update user profiles, send messages to administrators, or execute custom commands when access is granted or rejected. Some command fields have a default command that is determined by the rule category and other settings.
Field | Description |
Send password | Identifies the command used to send newly changed passwords to the user. Passwords are sent via email. If no email address is specified for the user in their MFA user profile, the password is displayed in the 5250 screen. This field is only displayed for Reset Password rules. |
Deny decision | Identifies a command to run to perform an action when a user profile is denied authentication by the rule. Commands can be used here to disable a user profile or send an alert to an administrator. SQL Access rules and File Access rules use the command in this field to deny access for an unexpected update of a sensitive file. (5250 field: Reject command) |
Allow decision | Identifies the command run to send a message or perform an action when a user profile is authenticated by the rule. This command can be used to send email messages to an administrator. (5250 field: Accept Command) |