× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2016

Re: Object Authority for SQL Use

Note: it's a bad idea to give access directly to the PF objects.

Instead, secure the PFs with an authorization list (*AUTL) and give the profiles the authority via the *AUTL.

Agreed, but how do people handle the creation of authority when it is inconsistent across the library? For example, I can have an authority list called #PRODDTA that handles all of the objects in library PRODDTA (and the library itself points to this authority list). That's great for handling the systematic access in the system and has worked very well for us. We have less than 10 libraries that are not *PUBLIC EXCLUDE.

Our problem arises when we want to give access to individual files and exclude others in the same library. An interface may need to query our work order file, but I do not want them rooting around our G/L. In this case the #PRODDTA authority list is too broad and the only recourse seems to be granting *USE rights to the library and the individual files in question apart from the authority list. This is inconvenient because you can't manage those without a lock on the object.

Those exceptions are easy enough to maintain in a CL, and I have one that can be run over any of our data environments to put them in sync with the security plan. But this involves many steps in ensuring that the library has:
- the correct create authority (that points to the authority list),
- that the library and all the objects in the library are owned by the correct ID,
- that all other authorities are revoked,
- granting back authority using the authority list,
- granting back *USE rights to the library for individual users who will access isolated files

Then you have to go back and work on the object authorities in the library:
- grant authority to all objects using the authority list
- revoke all other authorities
- grant back access to individual files for individual user access

The CL works as a great source for finding the exceptions, and allows to add comments explaining why, many months later, a certain access was granted. It also works great because you can add a change, then schedule the CL to run when you know the objects will not be locked.

Still, I can't help but wonder if there is a better way. If anyone has it, I would love to hear it.

_____________________________________________________________________
Spirax-Sarco Engineering Plc. This e-mail has been scanned for viruses by Verizon Business Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.verizonbusiness.com/uk

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.