iSeries object-level security question

435 pts.
Tags:
AS/400
Security
This iSeries user is trying to augment his object-level security with exit programs. He's working on one now to control ODBC using the QIBM_QZDA_SQL2 exit point. His question is: What is the proper authority for an exit program and its log file? All of his users without *ALLOBJ, bypass his exit program. The job log for their QZDASOINIT jobs show many "Attempt to use permanent system object ExitLib without authority", where ExitLib is the library where his exit program is stored. The connections are being allowed. Do you have any advice? -- Michelle Davidson, editor, Search400.com

Answer Wiki

Thanks. We'll let you know when a new response is added.

The library and the exit programs should have *PUBLIC *USE authority.

==========================================================

Be VERY careful when assigning exit programs, especially any exit programs that return Accept/Reject flags. If you return Reject, the server will not allow the transaction. If you return Accept, be SURE that you understand how the server will act upon the value — some exit programs can cause servers to Accept a transaction even if this contradicts normally expected i5/OS object security, in some cases even if the user requesting the service does not exist.

Server exit programs can restrict or widen access capabilities. Test, and test, and test again. If PTFs are applied, or you do an upgrade, go through the entire test cycle again (ideally, <i>before</i> upgrading your production system).

<i>What is the proper authority for an exit program and its log file? </i>

As the joblog error directly implies, the program and library must have *PUBLIC *USE authority in order for the exit program even to be called. The program may be compiled as USRPRF(*OWNER) to allow the program to access any objects that it needs to do its work. Those objects may then be *PUBLIC *EXCLUDE as long as the program owner has sufficient authority to use the objects as needed.

Tom

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following