RE: Read-Only ODBC Access

Guy,

This topic is sure to become an emotional topic, but IMO, your best bet is to 
adopt a new security model.  All data should be public exclude, and any process 
that SHOULD be allowed access to your data should adopt authority.  For ODBC 
access, you can use an exit point to determine if the access is legitimate, and 
then process the ODBC request using a profile that has the appropriate rights.  
By default, standard user profiles would have NO access to data.

There have been numerous threads on this topic, and I for one have become 
convinced that this is the right way to secure data on System i.  

Eric

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Guy Terry
Sent: Tuesday, February 20, 2007 3:27 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Read-Only ODBC Access


We've been investigating giving some of our users read only access to 
our iSeries data using the iSeries Access ODBC driver.

I know you can set the driver to be read-only, but we're not happy with 
how easy that is for the user to change. I believe the nature of our 
bespoke ERP package means that setting file permissions based on user 
name is not workable. So we're really left with the ODBC exit points. I 
have be in touch with Powertech, and got a quote for their Network 
Security product. However, another suggestion has been made:

Write our own exit point program, which will allow ODBC access to one 
user only (say ODBCUSER). Then set file permissions for just that user.

Apart from all the other exit points going unmonitored (which is no 
worse than we are currently) can any flaws be suggested with this logic? 
Would I be able to set most files so that ODBCUSER would be unable to 
even see them, and relevant files that we decide to make available via 
ODBC to read-only? How do I do this?

Thanks

Guy