Risks and recommendations
Use the instructions in this topic to protect the files on your system.
Normal security measures on your system might not be sufficient protections if the IBM® i Access program is installed on your system. For example, if a user has *USE authority to a file and the PCSACC network attribute is *OBJAUT, the user can use the IBM i Access program and a program on the personal computer to transfer that entire file to the personal computer. The user can then copy the data to a PC diskette or tape and remove it from the premises.
Several methods are available to prevent a IBM i user with *USE authority to a file from copying the file:
- Setting LMTCPB(*YES) in the user profile.
- Restricting authority to commands that copy files.
- Restricting authority to commands used by IBM i Access.
- Not giving the user *ADD authority to any library. *ADD authority is required to create a new file in a library.
- Not giving the user access to any *SAVRST device.
None of these methods work for the PC user of the IBM i Access licensed program. Using an exit program to verify all requests is the only adequate protection measure.
The IBM i Access program passes information for the following types of access to the user exit program called by the PCSACC network attribute:
- File transfer
- Virtual print
- Shared folder