Unconfigured Ad Widget

**Guest.Visitor** · 02-22-1999, 04:32 PM

Security: OPM -vs ILE

Chris, On Monday, February 22, 1999, 11:45 AM, Chris Ringer wrote: I�ve been reading a book on AS/400 Security lately and it occurred to me that establishing security in an OPM environment may be different than an ILE environment. For example, suppose that an interactive OPM RPG program named PGM_A allows some users to hit a function key and call OPM PGM_B. Since these are two distinct program objects, object security on PGM_B would control who can call PGM_B (indicator on CALL opcode or use CHKOBJ AUT(*USE). Now, in an ILE environment, PGM_A and PGM_B would be actually be modules linked into one program object, PGM_A. Now, my question is, since you only have one program object, how to you control access to the function key? Do you put authorities on the modules and check those objects instead? I doubt it. Do you create a PF keyed by user and the name on the "CALLB" or "CALLP" and use that to simulate authority? This seems to defeat the purpose of having OS/400 security. Do you create two ILE programs, PGM_A and PGM_B? This seems to defeat the purpose of using ILE to increase performance by linking modules into one program. This is the only reasonable solution I can think of though, having two distinct program objects, each with distinct object authorities. I thnk you have answered your own question... Can I somehow have one program object and separate authorites to the modules? No. Not without the application itself implementing its own security scheme (as you suggest above). But imho I seems to me that you can only ask this question if you misunderstand the intended use of bound calls. To develop in ILE is NOT to stick Everything into a single pgm object.... ;-) If you were to take an Average OPM Application as an example and convert it to ILE, I would suggest that you would end up with a similar(ish) number of pgm objects, some extra srvpgm objects to implement shared code seperated from the OPM pgms, and some other srvpgms to replace high use "utility" type pgms. Doing this you still have a similar scope to apply object level security. You could even consider it more secure as the utility pgms are now not directly callable. Derek

**Guest.Visitor** · 02-22-1999, 08:31 PM

Security: OPM -vs ILE

Chris, If you wanted to implement this method then why not use service programs, since a service program can have adopted authority ? If you have an existing modular type approach as you described, with a number of OPM programs I dont follow why you would want to migrate this into large singular ILE programs. To me it seems more natural to take your existing modular structure and implement these common modules as modules in service programs. David

**Guest.Visitor** · 02-23-1999, 05:58 AM

Security: OPM -vs ILE

David, On Monday, February 22, 1999, 08:31 PM, David Bye wrote: Chris, If you wanted to implement this method then why not use service programs, since a service program can have adopted authority ? If you have an existing modular type approach as you described, with a number of OPM programs I dont follow why you would want to migrate this into large singular ILE programs. To me it seems more natural to take your existing modular structure and implement these common modules as modules in service programs. David I would want to keep the modular approach. I guess I've read articles that compare "bind by reference" and "bind by copy" and list reasons for using one over the other but didn't mention security as a factor in the decision. So, I can create a service program, establish authorites on that object and still use CALLB. Ok, that makes sense. Thanks for the help. Chris

Unconfigured Ad Widget

Announcement

Security: OPM -vs ILE

Security: OPM -vs ILE

Comment

Comment

Comment