External Designer Access

[RussCraig]

I have ProfoundUI set up using SSL so our clients can connect remotely. It works great, they can go to "https://examplesite.com/client", and it runs the Alias pointing to Profound UI's "start.html". Also have it set up so if they try to access it using "http://", it will rewrite and force "https://". Our clients then use a general IBM profile (same for all clients) to log in and get presented with a second logon screen. This second logon is where their access level gets determined. This is all working great.

One thing I noticed though, is they can go to "https://examplesite.com/profoundui/designer" and it will prompt for the IBM profile. If they enter the general IBM profile that was created for the above use, it'll load up Visual Designer. This is not good.

Is there a way in the HTTP configuration to block "/profoundui/designer" for external access, but still allow it for local/internal access? Or am I going about this the wrong way? I could remove the designer Alias, but then I wouldn't be able to access the designer at all, even locally.

Perhaps the ability to restrict Visual Designer to only certain user profiles?

Any help is greatly appreciated. Thanks,
-RC

[David]

You could disallow the general IBM i profile from accessing the designer program using system authorities. Would this help?

The designer is a normal system object, PROFOUNDUI/PUI0001100 *PGM. You can set authorities on this in the normal way to control access by profile.

If you set the generic IBM i profile to *EXCLUDE on this object, they should then get a 403 - Not Authorized error if they attempt to sign into the designer with this profile.

[RussCraig]

Object authorities! Duh!

That's exactly what I needed. I now have the designer limited to a single profile.

Huzzah for more security :-P

Thanks!
-RC