We have a customer that uses DDM to read our files. We need to limit some files for DDM access, but they still need to be able to read that file through an application program. They also need to be able to DDM orders to us, so we can't revoke DDM completely.
If your customer has written the application or doesn't mind changing the application program, the best (most robust) solution is to set *PUBLIC authority of the files to *EXCLUDE (protecting the file from being accessed through DDM) and changing the application to adopt authority when accessing the files.
The application program owner needs to be authorized to or own the files. This way, access to the file is protected not just through DDM, but through all interfaces that might currently exist and any of the interfaces that might come up in the future. However, because the owner of the program has sufficient authority, access is still allowed through the application.
This is the preferred method over trying to protect these files via exit point software because, once again, by using object level security, you protect the file from being accessed from ALL interfaces. If you aren't familiar with adopted authority or have questions regarding it, you might check out my Security Patrol article on the subject .0CcCajzU6iu.26@.6ae389f1!sectionID= .5bfbaebb>here.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.