I agree with your points. A user may be "authorized" to invoke the GET
Employee API, but not authorized to view the employee's SSN. And in a world
of cloud services, "users" may not have an IBM i user profile. We have a
client who is authenticating users against an oAuth service, for example.
We have thousands of parents and students who access our database, but who
don't have IBM i credentials. I bet that most eCommerce sites have similar
circumstances.
I'm pleased that we're discussing access privileges. I think this is a
sub-topic where we can compare and contrast the infrastructure that support
web-service APIs, vs that which may be implemented via XMLSERVICE, ODBC,
JDBC, and the like.
For example, the procedure or procedures that check end-user authority
should (and probably do) run on IBM i, as opposed to delegating that
responsibility to web-service clients. The latter would be less secure, in
my opinion. And the way that user privileges are defined, is more granular.
This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
