I'm wondering if using ODBC on our iSeries 400 will be under the control of user profile? For example, a user with read-only privilege can update the data tables through the ODBC.
A user that is restricted by OS/400 object security to "Read Only" privileges to a particular database file will only be able to read that file, regardless of which interface or tool they use to access the file. OS/400's security rules are well defined and clearly enforced, so if in fact a user has "Read only" authority, they will not be able to change the file with ODBC.
Many OS/400 administrators assume that the reader has "Read Only" because some application menu option, or some application unique security system is supposed to prevent a user from changing data. This is a big mistake! Menu Security and application-based security schemes are not effective security screens in today's computing environment. If a the OS/400 operating system provides the enduser with *CHANGE or *ALL authority to the data, tools such as ODBC, DDM, and FTP (to name just a few) will allow that user to change, or delete that data at will.
If you are concerned about ODBC access, look at the authority for the files in question. If the end user, the group that the user belongs to, or the *PUBLIC has more than *USE authority to the data, then yes, the user will be able to change the data with ODBC.
If you have this situation you have two main options, remove the users excess authority from the object (if your applications will allow), or implement Exit Program security that will regulate the users of ODBC.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Search400's targeted search engine: Get relevant information on security.
Dig Deeper on iSeries physical security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.