Create a logical file without the fields and have the users access this file only.
You probably can’t.
Your users currently have access to two capabilities — uncontrolled access to any file in the applications and downloading. You probably have a current business environment where downloads have become an integrated part of normal procedures; normal work requires them. And you have an application environment that provides insufficient controls for anything outside of the application structure; queries supply access that the application isn’t aware of.
If you start locking down files, your application will start failing. If you block downloads, processes that incorporate Windows functions will probably be stopped cold.
And you aren’t yet willing to go to the expense of re-architecting your application security. It won’t be simple because a lot of procedures will have to change. Many of them are ones you probably aren’t aware of.
The troubling part is that it can be done, and it can be done in ways that would make everything work better than it does now.
If you’re really serious, the first controls <b>must</b> be placed on the PCs. You need to understand that even if you totally blocked FTP, iSeries Access file transfers, ODBC, Windows networking shares and all other common forms of downloading, then simple queries that go only to lists on a terminal emulation screen are enough to transfer your price lists to a USB thumb-drive. (Windows can “print” to files. Emulator screens can be “printed” to a Windows printer. Macros can automatically page through screens and every screen can be “printed” to a file on a thumb-drive. A user doesn’t even have to remain at the workstation; macros can do it automatically.)
If you don’t control the PCs, then there is no control as long as any information reaches the PCs. Wherever the information can flow, that’s another route of control.
Getting the idea? This isn’t a trivial task if you’re serious.
So, start by deciding how serious you are. Get a clear picture of exactly what you need to control. Not what you want to control, but what you need. Organize it.
Then write it into a security policy. Tell employees what is to be protected and what the consequences of not doing so are.
Having a written and public security policy that is enforced is going to be your best form of security.
While it’s being created, you’ll have an opportunity to review existing procedures around your assets. You might find ones that are unnecessary and others that shouldn’t be done. You might realize that some need to be done but aren’t.
When you’re finished, you’ll have a blueprint. That’s what you need in order to automate any of it. It will give you a basis for asking clear and direct questions. And you’ll know when answers are appropriate.