How can I limit users from changing databases file? I'm working with an 820 iSeries with V4R5.
You have a couple of options for preventing users from changing database files on your iSeries using Client Access Express or iSeries Access for Windows (as it's called in V5R2.) The most robust option is to use object level security on the database files. If users only have *USE authority to the file, they will only be able to view or read it but not update records. This authority applies to every means of accessing the file - from the command line, a submitted job, a web application, ftp, remote command or any of the Client Access functions. However, you must make sure that the users still have sufficient authority to perform their job functions. Therefore, you may need to make changes to the application - usually to adopt the profile owner's authority - so that the users can still use the application and update the files while using the application but not through any other means.
Your other option is to use an exit program and attempt to limit access to the files through configuring rules to prevent certain functions for servers that allow update -- such as the database servers and FTP. But it's not as simple as that because you must also take into consideration servers such as the remote command server that ignore the users' limited capability setting and allow them to submit commands that can update the files. Some shops have found success with this approach but understand that the task of installing and implementing exit programs is not trivial. That's why I prefer using object level security. It can take some work to adjust the application authority scheme, but then the authority applies no matter what interface is used to try to access the database file outside of the application.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading