Bingo, the registry part is what I was trying to remember. Good recap on
the basic security approach.
=====================
Tom Kreimer
Network Manager
Buckhorn Inc, Milford OH
See link below for the direct answer to your question.
Still boils down to:
* Start with user security.
* * default passwords, not signed on in awhile, etc
* Resource security
* * Why let everyone have *ALLOBJ, or why let everyone have all the
capability that EDTOBJAUT can give them?
* * Consider an "Application Only" access in which the user has no
authority to the data. They can only get to it via programs that adopt
authority.
* Exit point security.
* * Should not be considered as a replacement for 2 and 3 but as
additional gates.
* 5250 security
* * See how low down the list this is? Alas, this is where many people
start and end.
* * Consider "Limit Capabilities".
* * Custom menus to not tempt them into options they shouldn't have access
to.
* A patchwork of command security.
* * This is where people secure stuff like WRKQRY or STRSQL but forget
stuff like DBU, UPDDTA, iNav's ability to edit tables, using Excel to
update tables, etc. Once again, see Resource security to secure your
data.
http://tinyurl.com/a58bp5
or
http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/rzaj3/rzaj3security.htm?tocNode=%74%6f%63%3a%72%7a%61%68%67%2f%69%35%6f%73%2f%33%2f%32%2f%34%2f%32%2f%37%2f
Application Administration as a security tool
Do not use Application Administration as a security tool.
Application Administration was designed for customizing the functions
available on your client PC. You should not use Application Administration
for administering security on your client PC for these reasons:
Application Administration uses the Windows® registry to cache
restrictions on the client PC. A skilled user who is restricted from a
function by Application Administration could obtain access to the function
by editing the registry.
If multiple interfaces exist to the same resource, restricting a single
interface through Application Administration does not restrict the other
interfaces to the same resource. For example, you can restrict a user from
accessing the database function of System i? Navigator through Application
Administration. However, the user can still access database files by using
other database interfaces, such as Open Database Connectivity (ODBC) or
database control language (CL) commands.
Rob Berendt
As an Amazon Associate we earn from qualifying purchases.