Iseries Object Security

Hi.  I'm running OS400 V7R1 on an IBM Iseries system.  I've created a new user with minimal access.    User Class = *USER, Limit Capabilities = *YES & Special Authority = *NONE.   This user only needs to access a single object on my system via ODBC and I want to grant this user read only access to that object specifically.  Can this be accomplished by granting *USE authority for that single object?   thanks
LVL 7
valmaticAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ThomasMcA2Commented:
Probably not, because they can still use objects that have *PUBLIC authority assigned to them.

To make the account as restricted as possible, make sure the Group Profile is *NONE, and set the Initial Program to *NONE. That stops the user from logging in, but still lets them connect via ODBC.
valmaticAuthor Commented:
Thanks Thomas,  I have those parms locked down.  This is our first real foray into opening up our Iseries to external query so we're a little jittery about it here.

The file I do want him to access has *PUBLIC authority set to *EXCLUDE and my administrator ID set to *ALL.  Because of this, do I need to create authority specifically for that user over this file to allow the ODBC connection?  If necessary, authority would be set to *USE.
Gary PattersonVP Technology / Senior Consultant Commented:
You should be jittery - I've fixed several system disasters caused by careless implementation of ODBC/ JDBC access.  Here's the deal: If you let them connect via ODBC, they will be able to access any object that has adequate *PUBLIC authority, so unless someone has locked down *PUBLIC on your system, you'll have a lot of exposures.

Remember, too, that your users may decide on their own to try to access the system using a variety of techniques and tools- all pretty easy to obtain.  Anyone can download the JTOpen kit and get JDBC drivers, and there are lots and lots of tools that work over JDBC.  We've found lots of cases in client shops where users had figured out how to access data remotely, and IT was unaware of it.

My suggestions:  if you don't already have exit point security in place, get it set up and lock down interfaces like ODBC, DDM, FTP, DRDA, etc.  Then get your *PUBLIC house in order, and only then consider allowing end users this type of access.  Personally, I don't like to let end users access production files at all.  Instead, copy (or replicate in real time) to a data warehouse system (best) or lib (still ok) to isolate users from your production files.

Meantime, push the data out to a Windows machine - CPYTOIMPF to create a CSV for example - to make the data available without giving the user access to an unknown number of objects on your IBM i.
Member_2_276102Commented:
Be aware of a couple things:

First, it's not absolutely necessary to lock down all individual objects from *PUBLIC immediately. If a library is locked down, then there is no access to individual objects within the library. In that sense, large numbers of objects may be authorized with a single setting.

However, second, if your libraries are not already *PUBLIC *EXCLUDE, setting that authority has a good chance of messing up access for a lot of users, all of whom are also part of *PUBLIC.

In short, whatever you do for *PUBLIC affects everyone who isn't otherwise authorized.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
valmaticAuthor Commented:
thank you both.  Lots of food for thought.  Splitting the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IBM System i

From novice to tech pro — start learning today.