Using the Reflection for IBM Profiler to Lock Down Reflection

  • 7021697
  • 15-Mar-2007
  • 01-Apr-2018

Environment

Reflection for IBM version 13.0 through 14.x

Situation

The Reflection profiler is a tool that enables system administrators to control which Reflection features are available to users. This technical note describes how the profiler can be used to lock down Reflection.

Resolution

About the Reflection for IBM Profiler

Using the Reflection for IBM Profiler, you can make these customizations:

* Limit the availability of particular commands in Reflection.
* Prevent changes to particular settings in Reflection.
* Designate a startup settings file.

How Reflection for IBM Profiling Works

The Reflection for IBM Profiler saves profile information in a file called Profile8.rpf.

Supported Locations

On startup, Reflection for IBM looks for Profile8.rpf in the following locations:

  1. A Reflection subfolder located in the personal Application Data folder.

For Windows 2000 and XP, the default location for this hidden folder is C:\Documents and Settings\<user>\Application Data\Attachmate\Reflection.

  1. A Reflection subfolder located in the common Application Data folder.

For Windows 2000 and XP, the default location for this hidden folder is C:\Documents and Settings\All Users\Application Data\Attachmate\Reflection.

  1. The Reflection folder. The default path is C:\Program Files\Attachmate\Reflection.

If Profile8.rpf is found in any of these locations, Reflection sessions use the settings that are locked down in the profile file.

If more than one Profile8.rpf file is present:

  • Reflection honors the disabled (locked) states for any setting configured in any of the profile files.
  • If a profile file in more than one location specifies a Startup settings file, Reflection uses the settings file specified in the profile file found in the last location in the list of Supported Locations above.
  • If more than one location specifies password settings, Reflection uses the password settings specified in the profile file found in the last location in the list of Supported Locations.

Installing the Profiler

The Reflection for IBM profiler is installed as part of the Reflection Administrator’s Toolkit. If you have Reflection for IBM installed on the workstation, the installer automatically installs the profiler.

If Reflection for IBM is not installed on the workstation, manually select Reflection for IBM Profiler to install it.

Running the Profiler

The Profiler can be launched in two ways: from the Reflection Customization Manager or as a standalone application.

Launching the Profiler from Reflection Customization Manager

The Reflection Customization Manager is a tool provided by Attachmate to prepare and customize Reflection installation. You can use the Reflection Customization Manager when you want to distribute profiled copies of Reflection to multiple workstations where Reflection is installed.

When the Profiler is launched from the Reflection Customization Manager, the Profile8.rpf is written to the Administrative Installation. The transform created by the Customization Manager is updated to include information about the file and then deploys Profile8.rfp to the appropriate location for all users (specifically, All users application data).

For more information about the Reflection Customization Manager, see the Reflection Deployment Guide on the Attachmate support site https://docs.attachmate.com/reflection/14.1/deploy.pdf.

Launching the Profiler as a Standalone Application

To launch the Reflection for IBM Profiler as a standalone application, run it from the Windows Start menu: click Start > Programs > Attachmate Reflection > Administrative Tools > IBM Profiler.

When you launch the Reflection for IBM Profiler from the Windows Start menu, profiles are saved by default to the Toolkit folder. The default location for this folder is C:\Program Files\Attachmate\RToolkit.

Any profiler changes saved to the \RToolkit location have no effect on subsequent Reflection for IBM sessions. To test your changes on your workstation, copy the Profile8.rpf file to one of the Supported Locations listed above. You can also directly save the profile information to one of the supported locations by using the Save Profile To button on the General Tab.

Limiting Access to Commands

In Reflection's architecture, all actions are processed as commands. By default, all of the Reflection commands are available; however, any Reflection command can be disabled.

For example, if you disable the NewSessionDlg command, users are prevented from executing this command in a script or on the command line, and from clicking the New Session menu. Similarly, if you disable SetToolbarPos, the toolbar cannot be moved by any means.

In the Reflection Profiler, you can use the Command Group drop-down list to quickly narrow your choice of commands. For example, by selecting the Dialog Commands you can find the names of menu dialogs such as Terminal Setup (TerminalSetupDlg) or Keyboard Map Setup (KeyboardMapSetupDlg).

To limit access to Reflection commands:

  1. Click the Commands tab.
  2. Select a Command group (beneath the list of Reflection commands) to view all of the commands in that set.
  3. Select the commands you want to disable from the Reflection commands list.

A green circle indicates that the command is available; a red X displays if the command is not available.

Note: To select more than one command, click a command, hold down the Ctrl key, and then click additional commands. To select a block of commands, click a command, hold down the Shift key, and then click another command. Both commands, plus all commands between them, are selected.

  1. Select the Executable check box or double-click the command to control the availability of the selected command(s).
  2. Click Apply to implement your changes and keep the Profiler open to make changes on other tabs. Or, click OK to save changes and close the Profiler.

To make all selected commands available for use, click the Default (with no "s") button beneath the Executable check box. To make all commands available, click Defaults (with an "s") in the bottom row of buttons.

Preventing Changes to a Setting

When you prevent a setting from being modified, it is impossible for the user to change the value of that setting. By preventing changes to a particular setting, and then designating a startup settings file, you ensure that a particular value for that setting is always in effect.

For example, by restricting access to the HostName setting, and then designating a startup settings file in which HostName is set to VIRGIL, you make VIRGIL the only host that users can connect to.

To prevent changes to a setting:

  1. Click the Settings tab.
  2. Select one or more settings from the Reflection settings list.

This list shows all settings. A green circle indicates that a setting can be modified; a red X displays if the setting cannot be modified.

Note: To select more than one setting, click a setting, hold down the Ctrl key, and then click additional settings. To select a block of settings, click a setting, hold down the Shift key, and then click another setting. Both settings, plus all settings between them are selected.

  1. Select the Modification enabled check box or double-click a setting to control the availability of the selected settings.
  2. Click Apply to implement your changes and keep the Profiler open to make changes on other tabs. Or, click OK to save changes and close the Profiler.

Designating a Startup Settings File

A startup settings file is like any other settings file, except that its existence is unknown to the user. When you designate a startup settings file, you build a settings file into Reflection and are effectively modifying Reflection's default values.

To the user, there is nothing to indicate that a settings file has been built into Reflection. Users can still load a settings file as they usually would (unless OpenSettings is disabled). In effect, Reflection can run two settings files simultaneously: a startup settings file, which is not evident to the user, and a regular settings file that the user loads.

To designate a startup settings file:

  1. Click the Files tab.
  2. Under Startup defaults, select the Enable check box to enable a startup settings file.
  3. Click Browse and select the startup settings file.
  4. Click Apply to save your changes to the Reflection for IBM profile file (Profile8.rpf) and keep the Profiler open to make changes on other tabs. Or, click OK to save changes and close the Profiler.

The values contained in the default settings file are written into Reflection—the default settings file does not need to accompany the Reflection program files. However, you may want to maintain a copy of itto be able to make future changes to your profiled version of Reflection.

Note: You cannot use a startup settings file to change an existing settings file. The startup settings file only affects the default values of any new settings files created.

Accessing the settings file after it has been profiled

Once you have profiled a settings file, you can no longer access the command or settings. If an administrator needs to access the settings file, the Profile8.rpf file must be temporarily removed or renamed.

By locating the Profile8.rpf file in a user-specific location (the first of the Supported Locations), you can disable access for a specific group of users by copying the Profile8.rpf to only their machines.

Step-by-Step Example

The following example provides detailed steps for creating a Profile8.rpf file that

  • Provides a set of users access to your mainframe

and

  • Disables their ability to make any changes to Reflection

Here is one approach. (Detailed steps follow.)

  1. Modify the default Reflection toolbar to remove the New, Open, Save, Run Macro, and Record Macros buttons. (Or you could customize a new toolbar or remove the toolbar from Reflection.)
  2. Create a settings file that does not include the Connection, Setup or Macro menus. And the File menu does not include New Session, Save, or Save As.
  3. In the Reflection Profiler, disable the Setup dialogs, File New, and Save options
  4. Copy Profiler8.rpf to the User’s application Data.

Note: Since you will be removing access to several Setup dialogs, you will want to configure the toolbar and menus before removing their Setup dialogs. Also, you can still access the dialogs by using the Reflection command unless the access to the command has been disabled in the profiler.

First, modify the standard toolbar and remove any buttons that access file open, setup or macros. To remove a button from the toolbar:

  1. In Reflection, clidk Setup > Toolbar to open the Toolbar Setup dialog box.
  2. Click the Predefined Buttons tab. On the Reflection Toolbar (not part of the dialog box), click the button you want to delete and drag it off the toolbar.
  3. Release the mouse button.
  4. Click Yes when Reflection prompts you for confirmation.

Next, remove the Connection, Macro, File open, and Setup menus. To remove menu items:

  1. In Reflection, click Setup > Menu to open the Menu Setup Dialog box.
  2. In the Defined Menu list, select the Connection menu t and click Remove. The entire Connection menu will be removed.
  3. Then, select the Macro menu and click Remove.
  4. Expand the File menu (by clicking the [+] next to &File).
    1. Select New Session and click Remove.
    2. Select Save and click Remove.
    3. Select Save As and click Remove.Menu item.

You may also want to delete the Separator.

  1. Click OK
  2. Review the menus and make any additional changes
  3. Now remove the Setup menu. Note: After removing the Setup menu, you can only access the setup menu through commands.

To display Menu Setup dialog after removing the menu, double-click the status bar on the bottom of the terminal window to open the Reflection for IBM command line. Enter MenuSetupDlg to display the menu setup dialog.

Save the settings file by using VBA, since e the File Save menu items have been removed.

  1. In Reflection, double-click the status bar on the bottom of the terminal window to open the Reflection for IBM command line.
  2. Enter SaveSettingsDlg and press return to display the File Save dialog now that it has been removed from the menu.
  3. Enter your settings file name and click Save.
  4. Press Escape to exit the command line.

Now, profile Reflection for IBM to disable access to the setup dialogs.

  1. Start the Reflection for IBM profiler.
  2. Select the Commands tab and from the Command Group drop-down list, select Dialog commands.
  3. Scroll through the list of dialogs and disable the dialogs that are used on the Setup menu, Macro menu, Connection menu and File> Save:
DisplaySetupDlg
TerminalSetupDlg
OnEventSetupDlg
TransferSetupDlg
HotlistSetupDlg
HotspotSetupDlg
KeyboardMapSetupDlg
MenuSetupDlg
MouseSetupDlg
ToolbarSetupDlg
ViewSettingsDlg
MacroDlg
OpenSettingsDlg
SaveSettingsDlg
SaveSettingsAsDlg
SaveLayoutDlg
EditScriptDLG
RecordingSetupDlg
RunScriptDlg

By disabling the commands listed above, the user is prevented from accessing the dialogs from all menus and programmatically.

Now save the profile information and copy to a location where it will be read by Reflection for IBM.

  1. When all items have been disabled, click Apply to save the profile. A Profile8.rpf will be created in the RToolkit folder.
  2. The Profile8.rpf file can be copied to the appropriate location such as Users Application Data\Attachmate\Reflection so it will be read by Reflection for IBM. (See Supported Locations for a reminder.)

You can also save the profile directly to this location by clicking the Save Profile To button on the General Tab.

References

For more information, see the following references:

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2177.