Authentication tab - 7.0

Assure Security Web User Interface Guide

Version
7.0
Language
English
Product name
Assure Security
Title
Assure Security Web User Interface Guide
Copyright
2024
First publish date
1999
Last updated
2024-10-15
Published on
2024-10-15T10:28:29.100769

Authentication tab fields identify the authentication criteria for the rule.

When a field or value has a different name than its 5250 user interface equivalent, the 5250 name is shown in parentheses () at the end of the description.

Note: Some fields are only editable in the 5250 interface. These fields are indicated with a blue circle icon.

Action

Identifies the action taken by the rule. This field is displayed for all rule categories except Reset Password and Enable Profile.
Always Allow Allow access for user profiles or jobs authenticated by the rule without requiring additional authentication. (Action=*ALLOW)
Always Deny Deny access for user profiles or jobs authenticated by the rule without requiring additional authentication. (Action=*DENY)
Challenge User In Listener Display the authentication request in the web listener or the 5250 listener, depending on which listener is configured and running. The user will be prompted to provide additional authentication as defined in the Authentication Method fields. (Action=*LISTENER)
Challenge User Interactively Display the authentication request in a 5250 screen for an interactive job. The user will be prompted to provide additional authentication as defined in the Authentication Method fields. (Action=*DSPF)
Notify User Notify the user via a push notification to their personal device. The user will be prompted to respond to the notification and indicate if they requested access. (Action=*NOTIFY)

Display user profile in challenge

Indicates whether to display the user profile name in the authentication challenge. This field is displayed when the Action selected is Challenge User In Listener or Challenge User Interactively. (5250 field: Profile Presentation)
Note: For four-eyes rules and for Reset Password and Enable Profile category rules, this field must be set to Yes, Must be Changed. A four-eyes rule is a File Access rule whose name begins with DFU4 or an SQL Access rule whose name begins with SQL4.
No The user profile is not displayed in the authentication challenge. (Profile presentation=*HIDE)
Yes The user profile is displayed in the authentication challenge. The profile cannot be changed by the user. (Profile presentation=*DISPLAY)
Yes, Can be Changed The user profile can be displayed in the authentication challenge and can be changed by the user. The Hide originating user's profile in challenge check box determines whether the user profile is displayed in the challenge. (Profile presentation=*CHANGE)
Yes Must be Changed The user profile can be displayed in the authentication challenge and must be changed by the user. The Hide originating user's profile in challenge check box determines whether the user profile is displayed in the challenge. (Profile presentation=*OTHER)

Authorized Users

For four-eyes rules, it identifies a list of authorized, alternate user profiles that can approve the request. A four-eyes rule is a File Access rule whose name begins with DFU4 or an SQL Access rule whose name begins with SQL4.

For Reset Password and Enable Profile rules, this field identifies the users authorized to reset their password or enable their profile.

This field is displayed when the value of the Display user profile in challenge field is either Yes, Can be Changed, or Yes, Must be Changed. (5250 field: Profile List)
All users Any user profile is authorized. (Profile List=%)
name A specified name can be either:
  • A distribution list specifying the authorized user profiles.
  • An embedded condition list specifying the authorized user profiles.

Authorized user must have an IBM i user profile

When this option is selected, MFA will verify that the profiles specified in the Authorized Users field are existing IBM i user profiles on this system. (5250 field: *USRPRF Exists)

This field is displayed when the value of the Display user profile in challenge field is either Yes, Can Be Changed, or Yes, Must Be Changed.

Hide originating user's profile in challenge

When this option is selected, the user profile field displayed in the authentication challenge will be empty. When the option is cleared, the user profile field in the authentication challenge will display the current user profile. (5250 field: Profile Initialization)

This field is displayed when the value of the Display user profile in challenge field is either Yes, Can Be Changed or Yes, Must Be Changed.

Authentication Method

Field Description
IBM i password Indicates whether the user must specify the password for the IBM i user profile in the authentication challenge. (5250 field: Present Password)
  • No Password, Additional Authentication Only - The user will be prompted to provide additional authentication as defined in the Additional Authentication field. No password is required. (Present Password=*NO)
  • Password + Additional Authentication - The user will be prompted to enter their password and provide additional authentication as defined in the Additional Authentication field. (Present Password=*YES)
  • Password Only - The user will be prompted to enter their password. No additional authentication is required. (Present Password=*YES)
Additional authentication Identifies which method of additional authentication is required. (5250 field: Authenticator)

This field is not displayed when Password Only is selected for the IBM i password field.

  • One-time Password (OTP) – The user is sent a one-time password to enter. (Authenticator=*RAMI)
  • Security Questions – The user is prompted to answer security questions. (Authenticator=*NONE)
  • One-time Password (OTP) + Questions - The user is sent a one-time password to enter and is prompted to answer security questions. (Authenticator=*RAMI)
  • RADIUS Token – The user provides a valid RADIUS token generated by an authenticator application associated with the RADIUS server. (Authenticator=*RADIUS)
  • None - No additional authentication is required. (Authenticator=*NONE.)
Security questions Identifies the number of security questions the user must answer to confirm their identity. This field is displayed when the Additional Authentication field requires security questions.

Security questions cannot be used with RADIUS authentication. (5250 field: User Question)

Note: Users must have prepared the answers to questions before the rule is used. The minimum number of answers required is determined by an MFA setting. For more details, see the Assure Multi-factor Authentication User Guide.
Factor Used in rules with the Action defined as Notify User. The field must contain a non-blank value. The default value is PUSH, denoting a push notification. You can adapt the value based on the configuration of your RADIUS server.

Email

These fields are only displayed when One-time Password or One-time Password + Questions was selected for Additional authentication.

Field Description
Email subject Identifies the subject of the email containing the one-time password.
Email body Identifies the body of the email containing the one-time password.

You can include attributes in the Email subject and body. Click the attribute icon on the upper right to select an attribute from the list. The following attributes are available:

Attribute 5250 Field Notes
One-time password TOKEN Available only for the Email body field
One-time password expiration date TOKENDTS Available only for the Email body field
Challenge reason TEXT Available only for the Email body field
System name SYSTEM  
User name PROFILE  
User email address MAIL  
User IP address IPADDR  
Job name JOBNAME  
Job user JOBUSER  
Job number JOBNBR  
Job subsystem JOBSBS  
Current date and time NOW  
Assure SAM command/SQL statement MSGDTA  

If custom commands have been specified in the Send Information field in the 5250 interface, the following field is displayed:

  • Custom command - Use the information specified in the 5250 interface for sending the One-time password by email.
  • Standard email - Override the information specified in the 5250 interface and use the Email subject and details specified in the Web User Interface.

Additional Behaviors

Field Description
Listener challenge time limit Identifies the maximum amount of time allowed for a user to correctly respond to all of the authentication challenge requirements. (5250 field: Time Out)
  • No Time Limit - The user has unlimited time to respond to all challenge criteria. (Time Out=0)
  • Specify - When selected, an additional field displays the time limit in seconds, minutes, or hours.
Maximum attempts Identifies the number of attempts the user is given to correctly respond to all challenge criteria before being rejected. Each attempt includes responses to all of the relevant challenges (for example, password, MFA passcode, and security questions). The possible values are 1 through 9. (5250 field: Max nb. of attempts)
Re-authenticate Identifies when subsequent requests by the same user profile or job must re-authenticate. During a valid session, new authentication requests by the same user profile or job are automatically accepted without a challenge. (5250 field: Life Time)
  • Always - The authentication session expires immediately and the user profile or job must re-authenticate for every access attempt. (Life Time=0)
  • Specify - When selected, the After field identifies the time in seconds, minutes, or hours before a valid authentication session expires and re-authentication is required
Log Identifies the logging level for the rule.
  • Allowed - Only allowed authentication events are logged.
  • All - All events are logged.
  • Denied - Only denied authentication events are logged.
  • None - No events are logged.