× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2016

RE: ODBC traffic

It seems I made some assumptions I thought others would make but neglected to state them.

To clarify, I never stated not to use ** Object security **.

I agree with object security, been practicing it for years to the chagrin of others.

Sadly, many shops do not follow a current model for object security. You'd be surprised how many installations have *PUBLIC *CHANGE on tables.

If you cannot tighten up object level security for whatever reason, nor afford 3rd party packages for exit points or have the skills to write your own exit programs a simple solution is to not allow ODBC/JDBC/OLEDB access from Excel. To get data to a spreadsheet a client-side app can be written to extract the data and place it in a spreadsheet. This app can be written in such a fashion that it can extract data from whatever table is selected.

The client-side app isn't so different in concept from the many BI platform out there. And, who knows, maybe the client-side app will make their Information Services a profit center rather than a cost center.

Any interest out there in creating such a product?


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Darren Strong
Sent: Wednesday, April 13, 2016 11:05 AM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC traffic

To summarize Charles and my point earlier. ** Object security **

Putting a blockade on your driveway might stop people from driving down it and getting in your house, but the best solution is to lock the door, and then you can still use your driveway.






From: Charles Wilt <charles.wilt@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 04/13/2016 01:28 PM
Subject: Re: ODBC traffic
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Of course it's not likely that anybody uses Excel directly as a data entry/maint tool.

But reading data into Excel for analysis is quite common, particularly for MS SQL Server users.

Disallowing ODBC connections to the IBM i would prevent that.

If you DW is on the i, it's not a moot point unless you've got object security set up and/or exit point programs in use.

Which goes back to my initial response.

Charles

On Wed, Apr 13, 2016 at 1:03 PM, Monnier, Gary <Gary.Monnier@xxxxxxxxx>
wrote:


Does anyone allow Excel to be a data entry/maintenance tool for critical
tables in other databases? I suspect not, for the same reasons sites
for
the IBM i.

If you are using a data warehouse the issue is a moot point since a
warehouse is, by definition, going to be read only as far as the
client-side is concerned.

Gary Monnier


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Charles Wilt
Sent: Wednesday, April 13, 2016 9:46 AM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC traffic

Sure that's a simple option...

Works right up till the IBM i gets replaced as being outdated for not
having the Excel integration and/or too expensive since a developer
has
to
be involved for everything.

Charles

On Wed, Apr 13, 2016 at 12:13 PM, Monnier, Gary
<Gary.Monnier@xxxxxxxxx>
wrote:

The really simple option is to not allow ODBC/JDBC/OLEDB connections
from spreadsheets.

A user obliterating a critical table is what spawned PowerTech's
exit point technology. A user utilized Excel to upload, if memory
serves, the chart of accounts. They then eliminated everything they
didn't want, made some changes and downloaded to (at the time) the AS/400.

You can always have the developers write a client-side extract
program that creates a spreadsheet.

Thanks,

Gary Monnier

IT Software Engineer CSM, CSPO

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Michael Schutte
Sent: Wednesday, April 13, 2016 6:14 AM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC traffic

Somehow you guys think I'm disagreeing with you. I'm not, just
pointing it out as an option.

As this being an option, and you don't want the user to change the
connection or add a new connection, etc. The network team (or
people in charge of windows) can set up group rules to keep the
users out of administration tools. This goes for ODBC connections,
DNS-less connections, etc (maybe not JDBC connections).

So again, the option isn't totally invalid. It's just a different
way of doing it. Different point of view.

On Wed, Apr 13, 2016 at 8:41 AM, Mark Murphy/STAR BASE Consulting Inc.
< mmurphy@xxxxxxxxxxxxxxx> wrote:

Particularly when it is so easy to defeat without anyone knowing
about
it.

Mark Murphy
STAR BASE Consulting, Inc.
mmurphy@xxxxxxxxxxxxxxx


-----Michael Schutte <mschutte369@xxxxxxxxx> wrote: -----
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
From: Michael Schutte <mschutte369@xxxxxxxxx>
Date: 04/13/2016 08:26AM
Subject: Re: ODBC traffic


Then you fire them. It was just an option. In all seriousness who
in their right mind would want to go around to all company pcs and
make
that change.

On Wed, Apr 13, 2016 at 7:43 AM, Mark Murphy/STAR BASE Consulting
Inc.
< mmurphy@xxxxxxxxxxxxxxx> wrote:

Until the user googles it and finds that option and unchecks it.

Mark Murphy
STAR BASE Consulting, Inc.
mmurphy@xxxxxxxxxxxxxxx


-----Michael Schutte <mschutte369@xxxxxxxxx> wrote: -----
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
From: Michael Schutte <mschutte369@xxxxxxxxx>
Date: 04/12/2016 05:09PM
Subject: Re: ODBC traffic


In the windows ODBC connection, find the option that says "SELECT"
statements only. This would be a by user basis.

On Tue, Apr 12, 2016 at 3:44 PM, Charles Wilt
<charles.wilt@xxxxxxxxx>
wrote:

The only way to do this would be on the IBM i side.

Either
1) Using object security, make sure the users only have *USE
authority
the
data.
2) Spend $$$ for a package of exit point programs to lock down
what's allowed.
3) roll-your-own #2

An example of #2
http://www.helpsystems.com/powertech/products/network-security



On Tue, Apr 12, 2016 at 3:16 PM, Hoteltravelfundotcom <
hoteltravelfun@xxxxxxxxx> wrote:

HI We have some users who use ODBC connection in Excel to
look at IBS
data
on the IBM i.

Now I am getting more requests for this.

I never liked this. Now I want to ensure that this can be
one way
traffic
only (read only). How can I ensure this. Secondly, I noticed
that all
users
with green screen get icons of the Windows for IBM ISeries
access. In
these
Icons are also links for sending and receiving data with IBM i.

I don't like this either. We have a few users on green
although most
not.

Can I remove these icons globally? Or has to be one by one.
--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription
related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.