Network Neighborhood

On windows 98 I go into Network neighborhood,I click "ALBANY" which is the name of our AS/400 system. It displays "all" of the files on the system. I expand Qsys and see all the libraries in QSYS. I click our production library and see all the files in the production library. I double click the payroll file and I can view it. How do I stop this from happening? Any help on this would be greatly appreciated I'll take a stab at this... I created a file in a test library, then set the authority for *PUBLIC to *EXCLUDE and setup authority for just a couple of specific users to *CHANGE authority. Then, when I browse to the file in Network Neighborhood, I get a message from windows that the file is not accessible. Maybe the payroll file you are looking at does not have the proper authority, or else YOU have authority and that is why you can browse the file. ==Scott==

Network Neighborhood

You need to idenity which users or group of users can access a file. If no access is specified for a file, then it defaults to the library settings. To findout who can access a file, use the dspobjaut command. To change who can use a file, use the chgaut and wrkaut commands. You might want to take a security class at IBM or look at the IBM manuals, "Security Basic", "Security Reference" and "Tips and Tools for Securing Your AS/400".

Network Neighborhood

The easiest way to stop this is to use EDTOBJAUT on the AS/400. Then only those with appropriate access to the objects will be able to view them. Whether it is through Network Neighborhood, Directly on the AS/400 or any other method. Dave

Network Neighborhood

There are problems with this solution, though, which is one reason our AS/400 is not browsable. A user may have a legitimate need to be able to view or even change a file on the AS/400. Perhaps they are data entry and punch in time cards or such that updates the payroll file. They need change access to the file, but becuase they don't have access to a program to be able to view it can't see the file (of course ensuring that limit capabilities is on, or proper authority is set to a lot of utilities such as UPDDTA, etc.). Now the problem comes in when this user is using a PC. Okay, they still can't view the file on the AS/400 5250 screen, but now they can download the entire file through network neighborhood, or file transfer, or ODBC, etc... The solution seems to be something called an Exit Program that I have heard about but have not had enought time to be able to invest to actualy research and write one. And wouldn't I have to write one for every file on my system? I'm not sure, as I haven't done the research, but it seems that would have to be the case. Most users I am not too concerned about, they wouldn't know ODBC from BYOB, and dont even know what network neighborhood is. But, there are a number of users who are smart enough to want to learn what their PC can do, and start clicking on icons, etc... These are some of my best users as they dont' come running to me asking where the Any Key is, and they even show other users how to do their job. But, if I put my AS/400 on the network browsable through network neighborhood, all data is basically an open book to them.

Network Neighborhood

On our AS/400, no user has write access to any files. However, the users can still enter data into programs because of adopted authority. The program is given write access to a file and any user that has access to the program can enter data. This does not mean that a user can access all the files. The way we set it up, users can not access the library with the physical files. We setup libraries for different user groups. Each group library has logical files that point to the physical files. The user only sees the data that is defined in the logicals. Giving users the ability to query data means they can get information they need on their own and our department does not have to get involved in special request for some quick report. I love it.

Network Neighborhood

First, fix your object authority. If users have *ALL authority to objects they can delete those objects via Network Neighborhood, FTP, DDM, etc. End users don't need to be able to delete your master files, do they? After you've fixed your authority so that users can only change data, install exit progams so that they can't change the data from MS EXCEL or MS ACCESS, or whatever.