Authentication tab fields identify the authentication criteria for the rule.
When a field or value has a different name than its 5250 user interface equivalent, the 5250 name is shown in parentheses () at the end of the description.
Action
Always Allow | Allow access for user profiles or jobs authenticated by the rule without requiring additional authentication. (Action=*ALLOW) |
Always Deny | Deny access for user profiles or jobs authenticated by the rule without requiring additional authentication. (Action=*DENY) |
Challenge User In Listener | Display the authentication request in the web listener or the 5250 listener, depending on which listener is configured and running. The user will be prompted to provide additional authentication as defined in the Authentication Method fields. (Action=*LISTENER) |
Challenge User Interactively | Display the authentication request in a 5250 screen for an interactive job. The user will be prompted to provide additional authentication as defined in the Authentication Method fields. (Action=*DSPF) |
Notify User | Notify the user via a push notification to their personal device. The user will be prompted to respond to the notification and indicate if they requested access. (Action=*NOTIFY) |
Display user profile in challenge
No | The user profile is not displayed in the authentication challenge. (Profile presentation=*HIDE) |
Yes | The user profile is displayed in the authentication challenge. The profile cannot be changed by the user. (Profile presentation=*DISPLAY) |
Yes, Can be Changed | The user profile can be displayed in the authentication challenge and can be changed by the user. The Hide originating user's profile in challenge check box determines whether the user profile is displayed in the challenge. (Profile presentation=*CHANGE) |
Yes Must be Changed | The user profile can be displayed in the authentication challenge and must be changed by the user. The Hide originating user's profile in challenge check box determines whether the user profile is displayed in the challenge. (Profile presentation=*OTHER) |
Authorized Users
For four-eyes rules, it identifies a list of authorized, alternate user profiles that can approve the request. A four-eyes rule is a File Access rule whose name begins with DFU4 or an SQL Access rule whose name begins with SQL4.
For Reset Password and Enable Profile rules, this field identifies the users authorized to reset their password or enable their profile.
All users | Any user profile is authorized. (Profile List=%) |
name | A specified name can be either:
|
Authorized user must have an IBM i user profile
When this option is selected, MFA will verify that the profiles specified in the Authorized Users field are existing IBM i user profiles on this system. (5250 field: *USRPRF Exists)
This field is displayed when the value of the Display user profile in challenge field is either Yes, Can Be Changed, or Yes, Must Be Changed.
Hide originating user's profile in challenge
When this option is selected, the user profile field displayed in the authentication challenge will be empty. When the option is cleared, the user profile field in the authentication challenge will display the current user profile. (5250 field: Profile Initialization)
This field is displayed when the value of the Display user profile in challenge field is either Yes, Can Be Changed or Yes, Must Be Changed.
Authentication Method
Field | Description |
IBM i password | Indicates whether the user must specify the password for the IBM i user profile in the authentication challenge. (5250 field: Present Password)
|
Additional authentication | Identifies which method of additional authentication is required. (5250 field: Authenticator) This field is not displayed when Password Only is selected for the IBM i password field.
|
Security questions | Identifies the number of security questions the user must answer to confirm their identity. This field is displayed when the Additional Authentication field requires security questions. Security questions cannot be used with RADIUS authentication. (5250 field: User Question) Note: Users must have prepared the answers to questions before the rule is used. The minimum number of answers required is determined by an MFA setting. For more details, see the Assure Multi-factor Authentication User Guide.
|
Factor | Used in rules with the Action defined as Notify User. The field must contain a non-blank value. The default value is PUSH, denoting a push notification. You can adapt the value based on the configuration of your RADIUS server. |
These fields are only displayed when One-time Password or One-time Password + Questions was selected for Additional authentication.
Field | Description |
Email subject | Identifies the subject of the email containing the one-time password. |
Email body | Identifies the body of the email containing the one-time password. |
You can include attributes in the Email subject and body. Click the attribute icon on the upper right to select an attribute from the list. The following attributes are available:
Attribute | 5250 Field | Notes |
One-time password | TOKEN | Available only for the Email body field |
One-time password expiration date | TOKENDTS | Available only for the Email body field |
Challenge reason | TEXT | Available only for the Email body field |
System name | SYSTEM | |
User name | PROFILE | |
User email address | ||
User IP address | IPADDR | |
Job name | JOBNAME | |
Job user | JOBUSER | |
Job number | JOBNBR | |
Job subsystem | JOBSBS | |
Current date and time | NOW | |
Assure SAM command/SQL statement | MSGDTA |
If custom commands have been specified in the Send Information field in the 5250 interface, the following field is displayed:
- Custom command - Use the information specified in the 5250 interface for sending the One-time password by email.
- Standard email - Override the information specified in the 5250 interface and use the Email subject and details specified in the Web User Interface.
Additional Behaviors
Field | Description |
Listener challenge time limit | Identifies the maximum amount of time allowed for a user to correctly respond to all of the authentication challenge requirements. (5250 field: Time Out)
|
Maximum attempts | Identifies the number of attempts the user is given to correctly respond to all challenge criteria before being rejected. Each attempt includes responses to all of the relevant challenges (for example, password, MFA passcode, and security questions). The possible values are 1 through 9. (5250 field: Max nb. of attempts) |
Re-authenticate | Identifies when subsequent requests by the same user profile or job must re-authenticate. During a valid session, new authentication requests by the same user profile or job are automatically accepted without a challenge. (5250 field: Life Time)
|
Log | Identifies the logging level for the rule.
|