Iseries Object Security

valmatic used Ask the Experts™
Hi.  I'm running OS400 V7R1 on an IBM Iseries system.  I've created a new user with minimal access.    User Class = *USER, Limit Capabilities = *YES & Special Authority = *NONE.   This user only needs to access a single object on my system via ODBC and I want to grant this user read only access to that object specifically.  Can this be accomplished by granting *USE authority for that single object?   thanks
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Probably not, because they can still use objects that have *PUBLIC authority assigned to them.

To make the account as restricted as possible, make sure the Group Profile is *NONE, and set the Initial Program to *NONE. That stops the user from logging in, but still lets them connect via ODBC.


Thanks Thomas,  I have those parms locked down.  This is our first real foray into opening up our Iseries to external query so we're a little jittery about it here.

The file I do want him to access has *PUBLIC authority set to *EXCLUDE and my administrator ID set to *ALL.  Because of this, do I need to create authority specifically for that user over this file to allow the ODBC connection?  If necessary, authority would be set to *USE.
Gary PattersonVP Technology / Senior Consultant
You should be jittery - I've fixed several system disasters caused by careless implementation of ODBC/ JDBC access.  Here's the deal: If you let them connect via ODBC, they will be able to access any object that has adequate *PUBLIC authority, so unless someone has locked down *PUBLIC on your system, you'll have a lot of exposures.

Remember, too, that your users may decide on their own to try to access the system using a variety of techniques and tools- all pretty easy to obtain.  Anyone can download the JTOpen kit and get JDBC drivers, and there are lots and lots of tools that work over JDBC.  We've found lots of cases in client shops where users had figured out how to access data remotely, and IT was unaware of it.

My suggestions:  if you don't already have exit point security in place, get it set up and lock down interfaces like ODBC, DDM, FTP, DRDA, etc.  Then get your *PUBLIC house in order, and only then consider allowing end users this type of access.  Personally, I don't like to let end users access production files at all.  Instead, copy (or replicate in real time) to a data warehouse system (best) or lib (still ok) to isolate users from your production files.

Meantime, push the data out to a Windows machine - CPYTOIMPF to create a CSV for example - to make the data available without giving the user access to an unknown number of objects on your IBM i.
Be aware of a couple things:

First, it's not absolutely necessary to lock down all individual objects from *PUBLIC immediately. If a library is locked down, then there is no access to individual objects within the library. In that sense, large numbers of objects may be authorized with a single setting.

However, second, if your libraries are not already *PUBLIC *EXCLUDE, setting that authority has a good chance of messing up access for a lot of users, all of whom are also part of *PUBLIC.

In short, whatever you do for *PUBLIC affects everyone who isn't otherwise authorized.


thank you both.  Lots of food for thought.  Splitting the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial