× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2000

Re: SQL and Data security

  • Subject: Re: SQL and Data security
  • From: "Simon Coulter" <shc@xxxxxxxxxxxxxxxxx>
  • Date: Wed, 25 Oct 00 19:34:44 +1000
 
a
Hello RIchard,

You wrote:
>During a pre-audit, a flag was raised about programmers have access to data 
>altering utilities on the production AS400.  DFU, EDTF, DBU, WRKDBF, etc. 
>are easy enough to restict.  However, the problem comes with SQL. How can a 
>user be limited in the execution of SQL?  We need to be able to allow the 
>programmers SQL SELECT, but prevent UPDATE or DELETE.  These rules should 
>only be in place when SQL is executed from a command line, but allowed 
>within RPG or CL programs since the application uses embedded SQL.  Any 
>thoughts?

I assume by "command line" you mean Interactive SQL?   If so, revoke authority 
to the 
STRSQL command but allow them to use Query Manager (STRQM).  You can restrict 
the 
alllowed SQL statements by working with the user's profile from within QM 
(option 10 if I 
recall correctly).

If you really mean the AS/400 command line (especially since you say CL 
program) then you 
aren't using the SQL product but rather some 3rd-party tool like ASC Sequel.  
In that 
case you can change the respective commands using CHGCMD and ensure the ALLOW 
keyword is 
*IPGM, *BPGM, *IMOD, *BMOD, *IREXX, and *BREXX.

NOTE!!!! That may satisfy the immediate audit requirement but it doesn't solve 
the real 
problem.  If the programmer can run SQL in a program but not from the command 
line then 
they can write a program to issue the SQL statement (or indeed an SQL program 
to issue 
any SQL statement) to trash production data.

The real problem is allowing your programmer's update rights to production data 
which is 
simply a stupid idea regardless of how small your shop is.  The tool is not at 
fault, 
rather the entire security mechanism.

Regards,
Simon Coulter.

«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»
«» FlyByNight Software         AS/400 Technical Specialists       «»
«» Eclipse the competition - run your business on an IBM AS/400.  «»
«»                                                                «»
«» Phone: +61 3 9419 0175      Mobile: +61 0411 091 400           «»
«» Fax:   +61 3 9419 0175      mailto: shc@flybynight.com.au      «»
«»                                                                «»
«» Windoze should not be open at Warp speed.                      «»
«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.