× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



In a word, yes.

Generally though they will have QSYS as the owner (some are owned by QSECOFR), *PUBLIC will have *USE rights and there will not be anyone else authorized to them unless QSECOFR owns the object.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dean Eshleman
Sent: Friday, September 14, 2012 10:32 AM
To: 'midrange-l@xxxxxxxxxxxx'
Subject: Re: Security for SQL functions

Now that I look at the V5R4 SQL reference manual a little closer, it says:

To drop a function, the privileges held by the authorization ID of the statement must include at least one of the following:
1) The following system authorities:
- For SQL functions, the system authority *OBJEXIST on the service program object associated with the function, and
- The DELETE privilege on the SYSFUNCS, SYSPARMS, and SYSROUTINEDEP catalog tables, and
- The system authority *EXECUTE on library QSYS2
2) Administrative authority

I guess I'm not sure what Administrative authority is. Does anyone know? In my case, the function (iDate) is backed by a service program. Thanks Alan Campin. Since I know only certain people can delete the service program, I thought that the first point under number 1 took care of my situation. Do I also need to restrict the DELETE authority on the 3 SYS* tables?

Dean

On 9/13/2012 3:58 PM, Monnier, Gary wrote:
Maybe then again, maybe not. When you create a function written in SQL on the IBM i the system generates C code then compiles it into an executable object. Restricting access to the commands that compile C is a prudent step.

Also any function can be dropped by deleting the program behind the function.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dean Eshleman
Sent: Thursday, September 13, 2012 12:50 PM
To: 'midrange-l@xxxxxxxxxxxx'
Subject: Re: Security for SQL functions

Thanks for the response. The service program behind the SQL function is secured appropriately, so I guess I'm covered.

Dean

On 9/13/2012 3:16 PM, Bob P. Roche wrote:
It might be easier to control the authority to the object rather than
those commands, Hopefully the commands are already secured so only
developers can CRTBNDRPG for example. But if those developers should
not be able to touch your function, I'd look at the authority
settings on the function.




From:
"Monnier, Gary"<Gary.Monnier@xxxxxxxxx>
To:
Midrange Systems Technical Discussion<midrange-l@xxxxxxxxxxxx>,
Date:
09/13/2012 02:11 PM
Subject:
RE: Security for SQL functions
Sent by:
midrange-l-bounces@xxxxxxxxxxxx



Dean,

A couple of ideas...

On the IBM i a function is an object. Objects can be secured.
Secure your system so only selected individuals can CREATE and/or DROP objects.
This may mean restricting who can use some of the CRTxxxxxxx
(CRTBNDC, CRTBNDCPP, CRTBNDRPG, etc) commands.

For external products using ODBC/JDBC you can use an exit program to
interrogate inbound SQL strings for the functions you want to
restrict and reject the transaction if the user isn't authorized to the function(s).

HTH.

Gary

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dean Eshleman
Sent: Thursday, September 13, 2012 11:56 AM
To: 'midrange-l@xxxxxxxxxxxx'
Subject: Security for SQL functions

I am getting ready to put my first SQL user defined function into
production. I just discovered that apparently anyone can create a
function and also, anyone can drop a function. How do I secure my
production functions so that only certain people can drop them?

Dean Eshleman
Software Development Architect

Everence Financial
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
www.everence.com<http://www.everence.com>






________________________________________
Confidentiality Notice: This information is intended only for the
individual or entity named. If you are not the intended recipient, do
not use or disclose this information. If you received this e-mail in
error, please delete or otherwise destroy it and contact us at (800)
348-7468 so we can take steps to avoid such transmission errors in
the future. Thank you.
_______________

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.



Dean Eshleman
Software Development Architect

Everence Financial
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
www.everence.com<http://www.everence.com>






________________________________________
Confidentiality Notice: This information is intended only for the individual or entity named. If you are not the intended recipient, do not use or disclose this information. If you received this e-mail in error, please delete or otherwise destroy it and contact us at (800) 348-7468 so we can take steps to avoid such transmission errors in the future. Thank you.
_______________

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.



Dean Eshleman
Software Development Architect

Everence Financial
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
www.everence.com<http://www.everence.com>






________________________________________
Confidentiality Notice: This information is intended only for the individual or entity named. If you are not the intended recipient, do not use or disclose this information. If you received this e-mail in error, please delete or otherwise destroy it and contact us at (800) 348-7468 so we can take steps to avoid such transmission errors in the future. Thank you.
_______________

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.