• Subject: Re: Restricting User Access
  • From: John Carr <74711.77@xxxxxxxxxxxxxx>
  • Date: Thu, 20 Nov 1997 23:19:18 -0500



RE:     Re: Restricting User Access


The question about how to keep any user from getting at *PUBLIC authority
cuts right to the heart of the Client Access world. 
<snip>


Let me pass by you folks our tentitive plans at a client of mine
and see what problems you think we might have.

Background.

AS/400,  Users all have PC's attached.   Running Win3.1   On the edge of 
getting into Win95. We have been encourageing users to use Query/400 and
File Transfer.(It is THEIR data)

All programs Adopt authority.  Single User ID owns all production files 
& programs.   We have a "Query" library which the users put their 
Queries & their Outfiles(from queries)into. 

We don't have any *PUBLIC rights over production data.

Users have DATA READ rights, but No OBJECT Rights to production data.
(in essence users can read the file but can't open it, (Don't seem to make
sense yet does it.))  

We have a "User Data Warehouse Library"  which contains only logicals 
OVER only those production files that the users are authorizied 
to query(Read).

These Logical files do not have any Key Fields(Yes you can do that, 
like a SQL View. So no Access Path Maintenance overhead.  Also, in certain
files we only include certain fields in the logical view). 

Users have Just, DATA READ  and OBJECT OPR rights to these logicals.
(they can READ the files & Open them)

Now,  Users can query(and file transfer) via those logicals to get
to the production data.  

If you try to access the base physical files in the production libraries
(or logicals in the "Productional libraries),  You're not authorized.

You can't do file transfer (or anything else, ODBC, FTP, XYZ) against
the production data because "you're not authorized"

The queries still run great.  If the user sorts the query,  the query
optimizer still uses/finds existing indexes(the real production logicals 
which have keys) even though they're not authorized to the "production
logicals"

This seems to lock down the PC access to the data.  Our production
programs use menus to "steer" the users to only those progams they 
can run.  

Sorry for being so long winded to explain the scenerio,  But we think
it's a good approach.

Until of course you folks start to poke holes in it.

SO
        production library      user library

        Physical & Logicals     Logicals(no keys)
        DATA READ rights        DATA READ rights
        No OBJECT rights        OBJECT OPR rights
        No *PUBLIC              No *PUBLIC


What do you think?

(BTW, they use a WONDERFUL file driven, soft coded, utility/feature
enriched menu system called ETIKIT (pronounced etiquette.) marketed by.....

John Carr
EdgeTech
5921 Acorn Ridge Ct.
Midlothian VA 23112
804-739-7689 Ph
804-739-7950 Fax
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].