AS/400 query security

5 pts.
Tags:
AS/400 Query
AS/400 Query Security
AS/400 security
I have a library we will call liba. In liba i have files for different companies. For eg: files aa01.itm is an inventory file for co# 01 and bb01.cms is a customer file for co# 01. I also have files aa07.itm and bb07.cms. TheseĀ files are for co# 07.I want to grant someone access to only the files for co# 07 when using query. Is this possible?

Software/Hardware used:
as400 9207-515
ASKED: January 23, 2011  3:41 PM
UPDATED: December 7, 2013  2:35 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes, but it would be easier if you separated the company data each into its own library. Then you can lock down everything with fewer commands.

The security of an object all depends on the authorities defined to the objects and the authorizations defined to the profiles.

When you have objects sharing a library, you will need to address the security of each object individually, or purchase a security package that helps manage them easier.

Hope this helps.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    You might create a set of authorization lists -- one or more for each company. Assign the authorization list for co# 01 to the files associated with co# 01, and do the same for each company. Each file will then be listed on an authorization list, but the list will be different for different companies. Then create group profiles for each company. Add the group profile for co# 01 to the authorization list for co# 01, and do the same for each company. Each file for co# 01 will then be authorized to the group profile for co# 01. Then assign group profiles to the user profiles. A user for co# 01 would be assigned as a group member of the group profile for co# 01. As a member of the group, the group authorities may be used to access the files. The files should have public authority revoked. Public authority may be assigned for each file directly as USER(*PUBLIC) AUT(*EXCLUDE), or it may be assigned indirectly as USER(*PUBLIC) AUT(*AUTL) where the authorization list supplies the *EXCLUDE for public. Once that general structure exists, none of the users will be allowed to see files for a different company and they will have access to all files for their own company. Further, any new users can be given access simply by making them members of the particular company's group. (And removing group membership also removes authority.) If unusual cases arise where some user needs access to files from two companies, that user can be made a member of both groups. A user may be a member of as many as 15 groups beyond his/her primary group. If situations arise where access is needed to more than 16 companies, there are refinements available. In order to assign an authorization list to a file, the file cannot be in use -- it must be able to be allocated exclusively to the process that assigns the authorization list. (Exclusivity is needed whenever authorities are changed for an object.) The process may complete in a split second, or it may take a few seconds if a large number of authorities are already assigned for the file or if the file has multiple members (database file members, not 'group' members). Once authorities are changed to be handled through an authorization list, future changes will be to the authorization list; so exclusive locks on the files will no longer be needed. It would be better if the companies were all assigned their separate libraries. Then you'd only need to authorize a library per company. A user from one company couldn't get into a library for a different company, so you wouldn't be worried as much about individual files. But the same separation can be done at the file level -- it just requires handling authorities for more objects. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following