Re: security vs sox question

Denis,

We change the effective user/groups, which in a program that roughly
equivalent to adopting. One advantage is that this carries through
triggers and other programs that drop adoption and works in the IFS. It
also works in multi-threaded jobs. Making it functionally equivalent to
adoption took some work so that authorities are unconditionally dropped
on return during non-exit program use. There are vendors that have done
a lot of this work for you but there is still quite a bit of work
involved.

David Morris

>>> denis_robitaille@xxxxxxxxxxxx 11/04/05 3:06 PM >>>
Hello all,

As many of you, we are going trough the process to get certified for
Sarbane oxley.

Our setup is ok for "green screen" program. We use adopted autority so
that, by themselve, the user do not have access to any files but the
programs do. This way, our data can only be modified from our written
and approved programs (no DFU or client access upload or dynamic SQL
...).

But I wonder how to properly secure access for VB, Java, c# or any
client/server programs that do not run on the Iseries. Since those
program do not run on the Iseries, we can not use adopted autority. So
we must grant more right to the user profil. But i we do so, we can not
stop a user from using any program on his PC to access the data on the
Iseries. 

I checked and the ODBC exit program can not know the name of the
program that uses the connection, thus I can not validate the program
that way.

On the information center, they proposed the use of stored procedure
with adopted autority. But what is stoping a user from calling those
stored procedure from a home made program?

We are looking at the use of swapp profile to increase security, but
this is complex and not bullet proof.

I am looking to hear from other as to how they handle that need of
securing/controling access to Iseries data in client/server mode.

Thanks in advance.

Denis Robitaille