We only have two levels. End-users get only 5250 and admins get everything. I have a read-only config in the share end-users use that restrict options. Admins have a different share with an unrestricted config and a symlink to the iACS JAR.
-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Wednesday, July 18, 2018 2:27 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxx>
Subject: ACS central location deployment for all users - securing ACS options
I'm testing ACS central location deployment for all users.
AcsConfig.properties was changed/updated to install to Users\public.
com.ibm.iaccess.AcsBaseDirectory=C:\Users\Public\Documents\ACS
Install was done initially with install_acs_64_allusers.js /AdminConfig.
All options were answered with 'Y', full access.
I created a single .hod session, which will be stored on the local PC.
Generate option, use computer name, Truncate ending, Avoid duplicate names on this workstation.
SSL and EIM enabled.
Then created a public desktop shortcut to this .hod saved session.
All working fine for any user, multiple sessions.
The nice thing here is only one session had to be created for all users/all PCs.
This will be included in the PC image when rolled out.
The issue I have now is I need to secure the ACS options for the normal user.
They should NOT have:
Data Transfer
IFS
Navigator for i
Manage DB2
SQL scripts.
When using ACS central location, a big negative is the capability of picking/choosing which options to give a user.
I could create a 2nd ACS central location deployment, with all options set to "N".
Possibly will do this.
But some users may only need one or two options.
Or, do I only use central location for base ACS, no options, and use local location for any user with ACS+ options.
How are others managing the ACS options when central location deployment is used?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
As an Amazon Associate we earn from qualifying purchases.