|
This is a little belated; but here is a simple CL example of an ODBC exit point program that disallows certain users; it is relatively easy to modify to do other items as well. http://www.geocities.com/alex_nubla/extdbse.txt -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John_Bresina@xxxxxxxxxxxxxxx Sent: Friday, September 15, 2006 3:37 PM To: Midrange Systems Technical Discussion Subject: Re: ODBC Security Does anyone have an example of an exit program for ODBC. I am not a programmer so I wouldn't want to try to write one. We have an audit requirement to secure ODBC by the end of October on our production partitions. John Bresina Jr Sr Server Engineer - Midrange Team Allianz Life of North America 5701 Golden Hills Drive Minneapolis, Mn 55416 763 582 6761 rob@xxxxxxxxx Sent by: midrange-l-bounce To s@xxxxxxxxxxxx Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> 09/15/2006 02:26 cc PM Subject Re: ODBC Security Please respond to Midrange Systems Technical Discussion <midrange-l@midra nge.com> Rather a recent discussion on the security list. Searching the recent archives might give some good insight. Defense in depth is always the best strategy. First, and strongest wall, should always be object authority. Now, some people secure everyone out of an object. And then the only way to access a file was via programs that adopted authority. Knew a fellow who did this for a company that made body parts for humans. Like artificial knees. If you do this then the only way they can use ODBC is if you copy the data to a different file that is opened for read. Leaving all your files for read might not be a good idea. For example if your programs secure who can read certain fields. For example if your employee file has salary information in there with name and address and certain people can look up address but only certain other people can look up salary and that is all program restricted. Now accessing that file via odbc blasts by that. Workaround, break the file apart which some vendors do. Or use column level security. Nice theory but I've not seen people use this in practice yet. Has anyone? Supported by DB2. Oh and as far as the "download file", our users quickly figured out that they could query most any file they wanted to and overwrite the download file and download that. Next wall may be exit points. Let's say your application vendor is from the stone age. And he requires the files to be *ALL for all users accessing the files. Now, you can use an exit point to restrict who can download what data from what file. For example I can secure Sally from downloading from the logical that has both name and salary information in it, but let Susie get both. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com fbocch2595@xxxxxxx Sent by: midrange-l-bounces@xxxxxxxxxxxx 09/15/2006 01:59 PM Please respond to Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> To midrange-l@xxxxxxxxxxxx cc Subject ODBC Security I wanted to get some info on the risks to giving AS400 users authority to use ODBC. If object authority is *use ODBC s/b ok for AS400 users to use...right? If they have *change to AS400 objects then ODBC is not good because they can upload data or change it via file transfer or ODBC...right? Using an exit pgm will restrict all users except ONLY those alllowed by the exit...which makes it the best way to secure ODBC...is that right? Thanks for any info Frank ________________________________________________________________________ Check out the new AOL. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more. -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l. -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l. ----------------------------------------- CONFIDENTIALITY NOTICE: The information in this message, and any files transmitted with it, is confidential, may be legally privileged, and intended only for the use of the individual(s) named above. Be aware that the use of any confidential or personal information may be restricted by state and federal privacy laws. If you are not the intended recipient, do not further disseminate this message. If this message was received in error, please notify the sender and delete it. -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
