Let me see if I understand you. It's not enough if the application
secures them from actually using an application, it must also not show
them that, if they had the authority, they could do certain things? Why?
Because they would go to your boss, roll on the floor and scream "I want
it!" over and over until your boss relents?
On a related note, are there still items on the website that Application
Administration doesn't control who can get in there?
Jim was right on another matter. It's important to use the security built
into the IBM i and not rely upon the interface to control security. A
classic example is "We have *public *all on all data but that's alright -
our 5250 menu system has no command line." Totally ignoring file
transfer, Excel built ins, ftp, remote command execution, etc.
And still related, what version are we talking about? IOW, with or
without level 16 of ptf group SF99368? In there they did a rewrite of
this port 2001 stuff. I have it on one lpar but I've not had the time to
see if it has visual granularity in addition to access granularity.
And I shudder to mention this, but you could block port 2001 on your
firewall except for access by a few IP addresses.
And on another thing, if they can't do anything but it just informs them,
using a graphic which shows them how much space is available on disk, for
an example, where's the harm in that? Is there a fear that they'll see
that you have 10% available of a 1TB system and try to snag on to that to
store their engineering drawings? Or the SAN manager may see you have too
much available and ask for it back?
Granted, I'm not talking about unfettered access to viewing spool files. I
still remember an employee who complained about her check stub before it
was printed. But she had matched the wrong stub with the wrong check. We
promoted her to HR Director.