We've gotten a lot more concerned about security on our data. In general
everyone who has access to this lpar has need to get into Infor LX.
Something that really hasn't been true for 25+years is that if you change
their user profile to LMTCPB(*YES) they no longer have access to the
command line and cannot get to the data outside of the programs.
Well longer ago than some people working on IBM i and it's predecessors
have been alive there have been ways around that. For example:
- "IBM Navigator for i" which is loaded on every IBM i and is available at
http://youribmi:2001
- IBM Access Client Solutions "Run SQL scripts".
- Excel
and really a rather unlimited number of other possibilities.
And while the auditors are still concerned with securing some commands
like STRSQL (and forget about newer ones like RUNSQL, etc),
and some people push Exit Point programs,
it's still like playing "Whack-a-mole".
Quite some time ago Wayne Evans coined a phrase called "Application Only
Access". In this model the users do not have access to the data. *PUBLIC
is *EXCLUDE and the users are NOT part of some group, authorization list
or any other method to gain direct access to the data.
Suppose your data is owned by SSA. And SSA is the only user with access
to that data.
Now, suppose you have a program named BPCSMENU. And that program is owned
by SSA. And, that program is set with "User profile" = *OWNER and not
*USER. Then that user could call BPCSMENU and if that program accesses
the data the user could see that data.
Now let's say the rest of the programs do not have "User profile" set to
*OWNER but have it set to *USER. And all those programs (such as ACR100)
have "Use adopted authority . . . . . . . . . . . . : *YES". What this
means is that the user could not call ACR100 directly and get access to
the data since the "User profile" is set to *USER. However if they called
it from an unbroken call stack in which every program between BPCSMENU and
ACR100 have "Use adopted authority . . . . . . . . . . . . : *YES" then
they would have access to that data.
This is the difference between Use adopted authority" and "User profile"
and why you do not just make them both *OWNER and *YES. They do different
things.
Infor ships their programs out of the box with "User profile" set to *USER
and Use adopted authority . . . . . . . . . . . . : *YES. Which is
what you want. Except for the initial BPCSMENU type program.
So in theory this should work for us, providing the users have *USE (aka
read only) access to the programs.
Has anyone done this? Have you set *PUBLIC to *EXCLUDE and try this? How
did it work out for you?
How do you handle those "super users" who have a business need to query
certain files with either 5250 based tools or with client server or web
based tools? Do you give them *USE (aka read only) capability to certain
files? Do you limit them only to 5250 based queries which you write and
call from a menu (which our users will not accept since it limits "what
if" stuff).
Rob Berendt
As an Amazon Associate we earn from qualifying purchases.