Manage
Learn to apply best practices and optimize your operations.
Allow a user to view a library prod without granting full access to all data
Implement the *USE command to provide user access via the view to the library, withholding the user from *OBJOPR object authority. This prevents the user from gaining access to the physical file.
I have a file F4211 in a library prod. This file contains a large amount of company data.
In order to implement security, I created a view F4211 in another library staging in the following way:
CREATE VIEW STAGING.F4211 AS SELECT * FROM PROD.F4211 WHERE SDKCOO='12345'Could you please let me know if I need to grant access to F4211 in prod library also? However, if I do that there will be a loophole, as the user will be able to access all data.
One last thing to mention is that the user does not have any privileges on prod library. I would like to fix this user's problem with the priviledge error without enabling this user to access all data.
First, to access an object in a library, the user must have authority to the library itself. Once the user has access to the library (*USE should be sufficient) they will need to have at least *READ data authority to the underlying physical file associated with the view.
As long as you do not give the user *OBJOPR object authority to the physical file, they will only be able to access the data via the view. If the user attempts to get the data from the physical file, it will fail.
Dig Deeper on iSeries system and application security
-
![]()
How to create Oracle Multitenant database user accounts
By: Brian Peasland
-
![]()
Creating an Oracle Multitenant container database and PDBs
By: Brian Peasland
-
![]()
How shared Lambda functions help microservices access control
By: Chris Moyer
-
![]()
Implementing cloud-native security means going back to your secure coding basics
By: Cameron McKenzie
Start the conversation
0 comments