i5 Query Security

5 pts.
AS/400 Query
I5 security
Are there any commercial security programs that will secure the query function on the as400?

We have user menus that keep users from viewing and changing critical files.

However, we also have users who go into query and save the results of the query anywhere on the system.  I'm concerned that someone will save the results of a query and overwrite an existing file.

I can't change the authorities on our files because this might interfere with our existing programs.

Any suggestions would be appreciated.


Answer Wiki

Thanks. We'll let you know when a new response is added.

Query has always been a ‘tricky’ area to get right.

One the one hand, we need to give users an ability to access data as part of their job, and to conduct ‘new’ queries we don’t know we need yet. OTOH, data has to be kept away from prying eyes, and especially so in the financial sector, where we even ban cellphones because the camera can walk away with screen shots.

So, you can’t control access to the file objects, you can’t limit functionality of Query itself..

You *could* start by chanelling all use of query tools through a menu item. You mention menus, so you could also set up a menu page of the queries routinely used, and limit access to them, if you still use Query/400 then allow runqry *select only. If you use QM queries, STRQMQRY and use variables to allow you to prevent the query from being changed.

Only users with suitable training and authorities get to use the query menu itmes.

You can go further – I’ve worked with and on some moderatly sophisticated user level front ends which resolve to
1) a few tables which define fields, files, and joins
2) some tables to define query namesand run time options, selected field values within query names, valid users etc
and the clever bit
a user selects which fields they are interested in, and the values they are selcting on, the system works out the joins, and constructs the query, output to a library or outQ of *our* choosing for a given user. Keeps the query definition, and allows a user to select to use it or change it next time they are in there.

Lots of work of course, but you get to control the data that can be accesses, the fields on the files the user can ‘see’, who can run them, and where and what type of output is produced.

bonne chance!

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta
    I'm not aware of any, though there are some controls that can be imposed on some queries through network interfaces. Because you asked, I can say that there are commercial products that might come close, though. See, for example, the DataThread product. (DISCLAIMER: I am employed by PowerTech.) The product doesn't quite control a "query function" but rather provides more control over who can take what actions against files, no matter what function is used. For your actual question, which "query function"? There are a number of them. Some, such as QM queries, provide built-in controls for restricting operations like DELETE. Others, like Query for iSeries (or Query/400), have no such controls. Whether or not there is any means for control will depend heavily upon the particular "query function" you're asking about. And even if you do control one or more of them, the others usually still won't be controlled. The way to do it natively is through resource security. If you give users the authority to replace files, then controlling "query functions" won't stop them from replacing files. But sometimes a commercial product can help get past problems like insufficient resource security. Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: