Block Crystal Reports from iSeries access

6345 pts.
Tags:
Crystal Reports
iSeries
We have a user who wants to use Crystal Reports to access data on an MS SQL server. She also has access to view limited data on the iSeries using an iSeries application with built-in security. How can we prevent her from accessing data on the iSeries using Crystal Reports. Is there a service we can disable?

Software/Hardware used:
i5/OS 6.1, Crystal Reports

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    It might depend on what is meant by "application with built-in security". I would expect that to mean that the application provides the authority because the user's authority is insufficient. In such a case, there shouldn't be anything to do about Crystal Reports.   But you wouldn't be asking if that was the case. So can you clarify?   Tom
    125,585 pointsBadges:
    report
  • WoodEngineer
    The iSeries application is working well with the security we need.  No issues there. Since Crystal Reports can connect to the iSeries we need to block that connection.  We can not block the user's profile else they will be denied access to data to which they are authorized. We are looking for a technique to block Crystal Reports from connecting to, and pulling data from, the iSeries.  
    6,345 pointsBadges:
    report
  • TomLiotta
    If you can't tell us about the application nor about how it applies security, we can't know how Crystal Reports might appear to be different from the system's perspective.   So, the only useful suggestion would probably be to capture a series of exit point parameter structures for both the application and for Crystal Reports requests. After good representative sets are logged, compare them and look for significant differences. When you find differences, determine if an exit program's logic could make the decision to accept or reject the requests.   Also, be sure to verify that Crystal Reports requests don't match the formats of other potential connections. One possibility might be references to SQL package names that would be unique to Crystal Reports.   Tom
    125,585 pointsBadges:
    report
  • WoodEngineer
    Yesterday I learned from the iSeries Support Center that Crystal Reports uses ODBC when working with the iSeries.  Simply blocking a user from that service solves the problem.  There are several methods of doing this which do not require writing exit points.
    6,345 pointsBadges:
    report
  • TomLiotta
    If you can describe an alternative, it would be educational for all members. A method might work for your site while being trouble for others.   If the other application does not use ODBC, then there is no conflict. It would have been easier if there was a little info that differentiated the two. As for how to block ODBC for a user, if object authority isn't sufficient, then exit programming is just about the only choice for sites in general.   There are some related methods that can be partially successful.   E.g., iNav exposes access to WRKFCNUSG, 'Work with Function Usage', through its Application Administration feature. There you can select or deselect access to ODBC for users or groups. But be aware that it is only effective for ODBC that honors the settings, e.g., iSeries Access for Windows ODBC that is properly fixed. IBM is clear on "Do not use Application Administration as a security tool." Non-iSeries Access ODBC is unlikely to be affected, and even iSeries Access ODBC might ignore the settings.   Other possibilities can have similar issues. Without knowing what is involved, it's not possible to comment with any detail. What can be fairly certain is that object security is the correct way to do it. If that cannot be done in a timely fashion, rejecting transaction through exit point interception is the next most certain method.   Firewalling can be useful if network administration allows it without interfering with any other communication through the ports. IP packet filtering can also be useful if IP addresses are controlled, but maintenance takes some attention.   Exit programing is the only (non-object security) way I know of to catch ODBC by user with potential to limit to Crystal Reports.   Tom
    125,585 pointsBadges:
    report
  • WoodEngineer
    IBM's WRKFCNUSG to the rescue!  By denying access to function ID  QIBM_DB_ZDA  at the user profile level we can prevent a user from accessing iSeries data using ODBC and JDBC.  This technique provides the security we need without writing an exit point program. There are quite a few function IDs on the iSeries which allow an administrator to really fine tune access to data. 
    6,345 pointsBadges:
    report
  • TomLiotta
    Just always remain aware that WRKFCNUSG (and iNav's Application Administration interface to it) does not block ODBC/JDBC. It provides a kind of repository for clients to query. It's up to the clients to decide to honor it or not. (You can use it to create your own software app controls, too, even native software. The iSeries Access ODBC driver does honor the settings; but if someone uses a different driver (StarSQL, Hit! ODBC, etc.), it's unlikely to have any effect. Hence, IBM's warning above. -- Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following