Re: Trigger programme without a trigger.

Joe Pluta wrote:

If I can't count on my security, then I don't have any. Nobody will "casually" get sufficient authority in my scenario. You musty either have *ALLOBJ (bad) or you must swap to the HSA profile (bad) or you must put the HSA as a group profile (bad). None of these is a casual thing, and in general can be prevented for all but the most powerful users.

Joe, you are assuming that all data manipulation will be done within the native iSeries environment.

This is not the case.

You've stated that ODBC is bad ... this is absolutely not true. ODBC (and, by reference, JDBC) are not bad at all ... INAPPROPRIATE use of ODBC is bad. Use of ODBC by people who don't know what they are doing is bad (I'll even say that direct ODBC use by ANY people is bad).

ODBC / JDBC is how external applications update data on the iSeries (with appropriate authorization).

Yes, the external applications can use a stored procedure to update the data ... that's one approach ... not the only approach.

I suppose the best of both worlds would be to lock down the data entirely *and* put validation triggers on it, so that when you do have to fat finger it, those triggers are in place.... hmm.

YES ... this is EXACTLY what I'm suggesting. As (I think) I said before ... Security is important (indeed, critical) ... but security doesn't enforce business rules. Business rules should be enforced regardless of what security is in place. And business rules should only be able to be bypassed in extraordinary situations by people who absolutely know what they are doing.

Maybe I have to rethink my position a little bit...

Oh man, I'm not sure I'm ready for the world to end <grin action="ducking" motion="running" visibility="hiding"/>

david