PROTECTING OBJECTS/USER PROFILES

[Guest.Visitor]

On Saturday, January 25, 1997, 03:26 PM, Henry Q. wrote: DOES ANYONE KNOW OF A WAY TO PROTECT A USER PROFILE AND/OR OBJECTS FROM ACCIDENTAL DELETION BY IBM CE OR ADMINISTRATORS USING QSECOFR? Henry Sorry, no. The QSECOFR profile can do anything, whether accidental or deliberate. You will have to restrict use of the profile instead. For your security administrator, if there are specific functions that need to be done, you might consider creating custom commands that adopt authority. Then the security administrator can do exactly what is needed and no more. Alternatively, you might look at what can be done by a user with *secadm authority - does that cover what your security administrator requires? As for the CE, I can't imagine why it is needed. Debbie Gallagher

[flensburg@novasol.dk]

Hi Henry, With 320 respectively 370 some new exit points for user profile handling are introduced (use WRKREGINF to see examples of this facility). These exit points will allow a user written program to be called before or after the actual deletion of the profile. Inside Version 3 (a US AS/400 magazine) had an article about the use of these exit points in october 96. Please let me know if I can help you with further information. Best regards, Carsten Flensburg

[Guest.Visitor]

On Friday, January 24, 1997, 10:17 AM, Gary Gravino wrote: In order to fully secure my AS/400 database from PC clients using CA/400 tools (file transfer, remote command, ODBC) while also giving them access to the data they are authorized to query. I want to give them authority to LF's or SQL views which limit what they can see. However, in order to give a user access to a LF/View I must also give him authority to the 'based on' physical file(s). I consider this a major security flaw in the AS/400. I should be able to give a user *USE authority to a view called VIEW1 without giving him any authority to FILE1, the PF that VIEW1 is based on (Of course the CREATOR of the LF must have authority to the based on PF). I think the model should be: "The user is authorized to the LF and the LF is implicitly 'authorized' to the PF". I do it with Oracle views. We never let users have direct access to the base tables in our Oracle database, only to views that control which tables, rows, and columns they can access. Is there any way around this on the AS/400 ??? p.s. I also must give them *USE authority to the library object that contains the PF so that they can run batch jobs (reports) from their interactive sessions in which the job description contains the library in its library list. * * * * * Well, well, well. I read your comments in the Editors Forum. Actually, I was planning to answer, but wanted to know what OS/400 level you were at, and was waiting for the answer before commenting further. Actually, the answer posted by Dave Shaw is the one I would have given too. If you want further info, read the manual AS/400 Security - Reference. You should have received this manual with your AS/400. For V3R1, see chapter 7 Designing Security, pages 7-8 and 7-9 that give examples of how to do this. The manual appears to be written differently for V3R1 than for other releases, thus the interest in your OS level. In addition, Wayne Madden's book Implementing AS/400 Security - 2nd Edition (sold by the same publishers as News/400) has a good description in Chapter 5, pages 102 to 105. Please note that I work for Saville Systems in Toronto, Canada, as a System Resource Administrator (nice fancy title for DASD Cop). It is a salaried position. I do not work for Midrange Computing, for News/400, or for Wayne Madden, and do not get royalties for copies of the Security Reference Manual that are sold. Best of luck with securing your logicals. Debbie Gallagher