The problem with straight object level security is that users are often
allowed to access data only with in a specific context - that is - it's
ok for Jane to access the Inventory file within the context on a well
crafted application program that controls what she can see and change.
But we don't want Jane to change some fields in the file (like re-order
point, etc.).  So *CHANGE authority would not in itself be adequate to
secure the resource.  

Correct me if I am wrong, but the proper way to secure this object would 
be to have
*public with *exclude, "/Serviceprofile/" with *all (or as needed) and 
then do a
CHGPGM /pgmname/ USRPRF(*owner) to adopt the service profiles authority.
Then do a CHGOBJOWN OBJ(/pgmname/) OBJTYPE(*PGM) NEWOWN(/Serviceprofile/) 
which will make the owner of the program the service profile.

The net affect is that no users have any access to the file at all.  Not 
via FTP, ODBC, anything.
The service profile has authority to the file.  The user only can modify 
the file within the scope
of the program being called.   Of course, you have to watch out to make 
sure QCMD or
command line is not given with this adoptive authority.  This depends on 
users not having
all object, and system security level being an the proper level.

This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed.  If you have received this email
in error please reply to the sender of the message.

The views expressed in this correspondence may not
reflect the views of Prime, Inc.

This footnote also confirms that this email message has
been scanned for the presence of computer viruses.

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.