|
Tim, > [ Picked text/plain from multipart/alternative ] > Is this possible and if so is there a simple CL command to do it? > I would like to add a exit point program to QIBM_QZDA_INIT to switch the > userprofile to a less powerful profile (for users not found in a control > table). What command would I use? And if so, would the profile switch > exist when they make the QIBM_QZDA_SQL1 call, or would I need to switch the > profile here also? > Or am I doing this all wrong? > My goal is this, to create a user profile that excludes our payroll library, > and give the odbc requests this profile... Yes it is possible. This is a cornerstone feature of our PowerLock NetworkSecurity software, for all of the reasons that you mention in your follow-on posting. This feature allows you to change the personality of a user going through the ODBC, (or FTP or DDM, etc) without re-arranging the application security that the application vendor has stuck you with. I'd have to argue with Evan's points (Sorry Evan, you're normally so right!) about simplicity of security design, given the lack of network security in many application packages, lots of folks have found that using our Switch Profile capability to be the simplest way to manage ODBC and FTP. So without giving away all of our trade secrets, here are some technical tips for doing this sort of thing.... - No, there is not a command, you have to write to the Swap profile API's (QWTSETP, QSYGETPH) - Many of these servers are re-entrant - meaning that they are used 200 times by potentially 200 different users before your program ends and restarts. You have to manage the security each time you go through an exit program because there is no guarantee that the same user will use the same server job twice in a row. You don't want to be handing out authority carte blanche. - There are a limited number of times that you are allowed to swap within a job. You should go back and clean up after yourself each time. - Once You swap from "Fred" to "Fred2" Expect "Fred2" to have no access to any of "Fred's" stuff (That's the whole purpose of the exercise) - When your exit program returns an "OK" to the server, your program is finished. You don't get an opportunity to swap back after the ODBC transaction is done. You have to clean up on your next trip back into the server. Don't foul this part up, or you'll leave inappropriate authority laying around. - The original users library list, Outqueue, accounting code, etc are still attached to the job. The only thing you are changing is the authority landscape - As Syd mentioned, there are lots and lots of servers. You'll want to do this for more than just the 4 ODBC servers. Or, of course, you could save your self a bunch of time, aggravation, and money and purchase a product like ours. We've been doing exit points for more than six years now. We already know where the land mines are. :) jte John Earl www.powertechgroup.com john.earl@powertechgroup.com The Powertech Group Inc. Seattle, Washington Where the Security Experts Live! Phone: +1-253-872-7788 Fax: +1-253-872-7904 --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
