On Wed, 2017-08-16 at 08:28 +0300, Gad Miron wrote:
Hello pundits
Need advice with the following:
I'm asked to create on the i a "payment instructions" text file to be sent
to our bank.
The actual uploading of the file to the bank is done by a special secured
*PC based* software.
When testing the process someone pointed to me the need to prevent any user
(i user or domain user) from changing the content of this text file.
I can create a txt file on the IFS and deny i users access to it (using
CHGAUT)
BUT when the file is copied from the IFS to the user's PC in order to send
it to the bank
then the access restrictions on the i are no longer valid.
I guess it is worth mentioning that we do not use SSO (Single sign on) for
accessing the i
Could you just have the requirement that the file should be
loaded/transmitted from a mapped drive and/or full url? The application
would load the file (which after creation would be made read only on the
i) from (for example) smb:myIserver\securefolder\thisfileisreadonly.txt?
(1)
Obviously that would require the user not to copy the file locally, edit
it, and then transmit the local copy... but if there is an application
involved which requires user input (via gui or command line foo) then
there has to be some level of trust.
Obviously if the raw file contains some kind of checksumming then,
theoretically, it would be harder to edit the file and have it pass the
pc applications validation but that is down to the pc application.
It sounds very similar to the old bacs processing problem, when it was
far cheaper and simpler to have a 386/486 with a dial up modem send the
bacs file than having it done by the "400"... I really don't miss the
days of creating a pc file transfer script which would be remotely
executed by the green screen (I remember it being possible but for the
life of me can't remember what it was called or how it worked) and then
after working for months something would go wrong and the pc would get
re-installed, or replaced, and the batch/transfer definition file would
be lost.
(1) If the application remembers the url then it would just be a case of
re-using a fixed file name and all the user would have to do is click
the big red <send> button... assuming the pc application is clever
enough to know if the content of the file has been previously sent
and/or the receiving bank application is clever enough to put on hold a
batch if it seems as if its a duplicate transmission.
TIA
Gad
As an Amazon Associate we earn from qualifying purchases.