Confused on VLF-ONE User Management

[jyoung]

I am really confused on how you are supposed to manage users in VLF-ONE.

Let me recap what I am trying to do and hopefully someone can tell me what I am missing.

We deploy to a development/test iSeries and a production iSeries. We authenticate the user with their iSeries credentials and get their iSeries group profile on successfull authentication. I then use that iSeries group profile to map to a VLF-ONE user (akin to a Role) and that manages the access to different Applications / Business Objects via the VLF-ONE User. At lot of that info came from http://vlforum.lansa.com.au/viewtopic.php?f=3&t=1221.

The VLF Logon Handler enables Framework Security swaps the UserProfileToCheck with the mapped VLF profile.

iSeriesProfile => VLF User
QSECOFR => ADMIN_USR
QPGMR => ADMIN_USR
GROUPCR => CREDIT_USR

Of course when running locally, the iSeries Profile is not used and I log in directly as the VLF User ADMIN_USR.

This works great locally where I can use the VLF tool to create the VLF profiles. Its when I try to do the same on the iSeries that I am running into problems. This would not be a problem if I could use the XML file, but this document tells me I cannot use it for VLF-ONE. http://docs.lansa.com/14/EN/lansa048/in ... 8_2000.htm

So I have to get these profiles into the iSeries some other way.

With Framework Sercurity enabled, I cannot log in (my iSeries group being QPGMR) because I am not authorized to the Framework. Makes sense, because I have no profiles in the framework to use.

If I disable Framework Security, I can get to the Users and Groups object, but I get the warning that Framework Security is not enabled and will not be saved for this framework.

Ok, so I can't use the VLF-ONE Administration Application to create a user until I can get a user in VLF-ONE. It seems like the chicken/egg problem.

The VLF Tools that use locally only seem to work locally, I don't see how I can tell it to go to the development iSeries instead of my local SQL Server.

I've read about exporting and importing users, but that seems to only work for VLF-WIN, and this quote in the docs "Note Condition: The import feature is part of VLF-WIN. The imported data is useable by VLF-WIN and VLF-ONE." http://docs.lansa.com/14/EN/lansa048/in ... 8_0020.htm makes no sense to me. This doc says that I can import from the XML file, http://docs.lansa.com/14/EN/lansa048/in ... 8_0020.htm, ok, that tool is not in VLF-ONE so how do I get that tool to talk to the development server?

Other parts in the docs say to "Log in as the Admin User ...".

How in the world do you get that Admin user in VLF-ONE in the first place?

[jyoung]

Wow, I think I got this figured out after tons of experimentation and locking myself out our iSeries.

I added the server to the VLF tool and then without restarting the tool, I selected Users and got a warning that the users were not coming from the development server or was being updated to the development server.

Ok, when I restarted the tool I had to log into it but, none of my logins worked, but *PGMLIB did.

Going into the users, there was this ADMIN_USER already there. I tried to get in VLF-ONE with it, but could not, I tried *PGMLIB but it did not work either.

I added my ADMIN_USR profile that my Logon Handler swaps the profile out for QPGMR and QSECOFR and tried to login as me (QPGMR) and I GOT IN.

I don't know if I missed how to do this in the docs or simply did not understand it, but for anyone else having trouble with it, here is how I did it.

Open the VLF Tool as a Designer
Go to Properties / User Adminisrtation Settings, check the following

framework security.PNG (42.66 KiB) Viewed 13190 times

Go to Administration / Sever and add your server details, then save and restart the VLF Tool.

Open the VLF Tool as a Designer and Log in as *PGMLIB, for me it was DCXPGMLIB.

logon.PNG (7.37 KiB) Viewed 13190 times

Now you should be able to add an initial admin user. Make sure you select the "Administrative User" check box. I also when into Authorities and made sure he had access to everything.

admin_user.PNG (25.28 KiB) Viewed 13190 times

Depending on how your Logon Handler is working, you should be able to get into VLF-ONE as the admin and add additional profiles as required.

Hope this helps someone.

Edit:
I think the key part that I was missing was that the user management needed to be done via the VLF Tool and that it connects to the server after you have defined it and logged into it.

[MarkD]

Your initial idea was the way to go I think.

Have a ‘special’ user profile that your VLF-ONE logon program recognizes and returns #UseFrameworkObjectAuthority := False

That special user can then log on and run the authorization programs directly from VLF-ONE.

The special user will get a confusing warning about framework security being turned off and not being saved, but they should be able to create some initial users and tag them as administrators.

The warning message is incorrectly worded.
It should not say the details will not be saved, it should say that they will not be applied.
We will change that.

Is your last point about the check boxes a defect?

[MarkD]

I would only use the special user to create some administrative users.
Don't use it to maintain user authorities.
Log on as an administrative user to do that.

[jyoung]

Hey Mark,

Yeah the warning message when FrameworkSecurity is disabled is really confusing which is one of the main reasons why I was having a hard time understanding how to do this. It makes sense that the security is not applied, but not being saved made no sense.

Using the VLF-ONE tools would definitely be the easier option, instead of the way I have outlined. Knowing that now, I will likely set may QSECOFR and QPGMR groups to disable framework security and ignore the warning.

When I was working with the authorities yesterday they did not seem to be persisting, now they are. Perhaps I was doing something stupid or something was not getting refreshed. I will update the edit.

Thanks,
Joe