Oddly, when a function written in SQL is created it generates C code. So one way to prevent this sort of function from being created is to restrict the commands to create C objects such as CRTBNDC.
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bob P. Roche
Sent: Thursday, September 13, 2012 12:16 PM
To: Midrange Systems Technical Discussion
Subject: RE: Security for SQL functions
It might be easier to control the authority to the object rather than those commands, Hopefully the commands are already secured so only developers can CRTBNDRPG for example. But if those developers should not be able to touch your function, I'd look at the authority settings on the function.
"Monnier, Gary" <Gary.Monnier@xxxxxxxxx>
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>,
09/13/2012 02:11 PM
RE: Security for SQL functions
A couple of ideas...
On the IBM i a function is an object. Objects can be secured. Secure
your system so only selected individuals can CREATE and/or DROP objects.
This may mean restricting who can use some of the CRTxxxxxxx (CRTBNDC,
CRTBNDCPP, CRTBNDRPG, etc) commands.
For external products using ODBC/JDBC you can use an exit program to
interrogate inbound SQL strings for the functions you want to restrict and
reject the transaction if the user isn't authorized to the function(s).
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dean Eshleman
Sent: Thursday, September 13, 2012 11:56 AM
Subject: Security for SQL functions
I am getting ready to put my first SQL user defined function into
production. I just discovered that apparently anyone can create a
function and also, anyone can drop a function. How do I secure my
production functions so that only certain people can drop them?
Software Development Architect
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
Confidentiality Notice: This information is intended only for the
individual or entity named. If you are not the intended recipient, do not
use or disclose this information. If you received this e-mail in error,
please delete or otherwise destroy it and contact us at (800) 348-7468 so
we can take steps to avoid such transmission errors in the future. Thank
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l