Object authority with workstation access
When you set up authority for objects, you need to evaluate what that authority provides for the PC user.
For example, when a user has *USE authority to a file, the user can view or print data in the file. The user cannot change information in the file or delete the file. For the PC user, viewing is equivalent to reading, which provides sufficient authority for the user to make a copy of a file on the PC. This may not be what you intend.
For some critical files, you may need to set the public authority to *EXCLUDE to prevent downloading. You can then provide another method to view the file on the server, such as using a menu and programs that adopt authority. Another option to prevent downloading is to use an exit program that runs whenever a PC user starts a server function, other than interactive signon.
You can specify an exit program in the PCSACC network attribute by using the Change Network Attribute (CHGNETA) command. Or, you can register exit programs by using the Work with Registration Information (WRKREGINF) command. The method that you use depends on how PCs are accessing data on your system and which client program the PCs use. The exit program (QIBM_QPWFS_FILE_SERV) applies to IBM i Access and Net Server access to integrated file system. It does not prevent access from a PC with other mechanisms, such as FTP or ODBC.
PC software typically provides upload capability also, so that a user can copy data from the PC to a server database file. If you have not set up your authority scheme correctly, a PC user might overlay all of the data in a file with data from a PC. You need to assign *CHANGE authority carefully. Review the Authority required for objects used by commands topic in Security reference to understand what authority is required for file operations.
Users must have *CHANGE authority to sign on at a workstation. If the QLMTSECOFR system value is no (0), the security officer or anyone with *ALLOBJ authority can sign on at any workstation. If the QLMTSECOFR system value is yes (1), use these guidelines to set authority to workstations:
Users allowed to sign on at workstation | Public authority | QSECOFR authority | Individual user authority |
---|---|---|---|
All users | *CHANGE | *CHANGE | Not required |
Only selected users | *EXCLUDE | No authority | *CHANGE |
Selected users and users with authority to all objects | *EXCLUDE | *CHANGE | *CHANGE |
All users except users with authority to all objects | *CHANGE | No authority | Not required |
- Functions that are available to PC users who are connected to your system
- Resources of IBM Systems that PC users can access.
Before you restrict access to the system operator message queue, use the EDTOBJAUT command to secure workstations, based on the information in your Output Queue and Workstation Security form.