Reply from IBM - see if it stirs some imaginative thinking:

"You're correct that until DB2 for i supports trusted context, 3 tier applications would have difficulty deploying RCAC rules related to the outer tier user identity.
Without trusted context, RCAC can still be constructed using DB2 for i built-in global variables, user defined global variables and/or client special registers.
For example, the middle-tier could leverage client special registers to share identity or scenario insight with the data tier, where the insight can be used to deploy RCAC rules.
Since the 3-tier application presumably already contains logic to limit access to rows and columns, a logical place to start is to focus on other aspects of locking down data security.
(i.e. deploying enhanced data security isn't an all or nothing proposition)"

I'm wondering about even using a UDF that returns values of environment variables - there are some restrictions on UDFs, but permissions seem to be able to be pretty broad in their "WHERE" clause.


----- Original Message -----
From: "Vernon Hamberg" <vhamberg@xxxxxxxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Tuesday, May 27, 2014 11:09:25 AM
Subject: Re: row and column access in 7.2 and web applications

Interesting options - basic authentication, Kerberos that maps with EIM,
validation lists (no profile involved other than CGI default or as set
in httpd.conf), LDAP (I think it's not really the same as Kerberos -
just saw it listed in a V5R3 document).

There are environment variables that CAN have some of this info and
provide fodder for swapping profile in the CGI program.

I've contacted IBM to see if there's something already in the works.


On 5/27/2014 11:01 AM, Brian May wrote:
Yes, our product can maintain a persistent CGI connection. So the user's web session is tied to a specific job running in the HTTP server. We swap the user profile of that job to the logged in user, allowing all DB2 and object level security to be honored.

Doing this does not necessarily mean you MUST have a persistent connection. Any job can switch profiles. The interesting part is passing, storing, and validating credentials in a secure manner.

Brian May
IBM i Modernization Specialist
Profound Logic Software
937-439-7925 Phone
877-224-7768 Toll Free

Modernization Made Easy!

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Nathan Andelin
Sent: Tuesday, May 27, 2014 9:54 AM
To: Midrange Systems Technical Discussion
Subject: Re: row and column access in 7.2 and web applications


I can offer a license to our Web Portal, which has a menu system, where each menu item can be configured to launch separate application instances
(Jobs) for each user, and run under that user's IBM i profile.

Profound UI may offer something similar, via their persistent CGI interface, but I'm not sure.

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page