Re: Do I understand USRPRF *OWNER USEADPAUT *YES correctly? -- MIDRANGE-L

Thanks for the pointer.

Actually, we DO have an override/access management program already that sits on the exit point but we need don't quite need that level of granularity at each of our customer's sites (they have JDBC/ODBC apps from third parties with exit points, etc as well that complicate things). We headed down that path but rather than rewrite the exit point management application we decided that it was just simpler to follow this approach. But, the exit point idea is a good one and can be used for much more than just setting authorities and overrides to files.

If we need a "plan B" we'll go there.

Pete


Gary Monnier wrote:

Pete,
You may want to think about using an exit program on the JDBC/ODBC exit
points that can switch profiles.  Within the exit program you can switch
the client user to whoever you want them to be.  Look at the
documentation for exit points QIBM_QZDA_SQL1 and QIBM_QZDA_SQL2 for
details.  These are the JDBC/ODBC exit points.  This, I believe, will
get you where you want to go but I have a bias toward an exit point
solution.
Gary Monnier | Senior Software Developer
19426 68th Ave. S Kent, WA 98032 (253) 872-7788 ext. 308 gary.monnier@xxxxxxxxxxxxx www.powertech.com This email message and any attachments are intended only for the use of the intended recipient named above and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message or by telephone and delete the message from your email system. Thank you.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Friday, April 08, 2005 7:36 AM
To: Midrange Mailing List
Subject: Do I understand USRPRF *OWNER USEADPAUT *YES correctly?
I have been operating under the some assumptions about adopted authority
that have been recently challenged and I want to make sure I haven't missed something.

We have all the files in a library set to allow a specific user profile to have *ALL authority (lets call it FUSER) and *PUBLIC authority set to

*EXCLUDE. All of the programs that access the files are owned by FUSER and the authority of those programs is set to USRPRF(*OWNER) and USEADPAUT(*YES). As far as I know that prevents anyone from accessing these files outside of using specific programs unless they have *ALLOBJ authority (Correct?)

We need to access those same files through JDBC so we have a program that we call when we establish the connection in Java that sets the library list and file overrides (OVRSCOPE (*JOB)). That program is also owned by FUSER and is compiled USRPRF(*OWNER) and USEADPAUT(*YES).

This should prevent anyone who successfully connects through JDBC but doesn't call the program from getting access to the files (unless they have *ALLOBJ authority) (Correct?)

There are a dozen other things we do to secure the access but the thing I am most interested in is making sure the files ARE accessible through this method. If the OVRSCOPE is *JOB and the program is owned by FUSER and FUSER has *ALL authority then the tables should be available to the Java program as long as the job (connection) is active (correct?)
Pete Helgren