Risks and recommendations

Use the instructions in this topic to protect the files on your system.

Normal security measures on your system might not be sufficient protections if the IBM® i Access program is installed on your system. For example, if a user has *USE authority to a file and the PCSACC network attribute is *OBJAUT, the user can use the IBM i Access program and a program on the personal computer to transfer that entire file to the personal computer. The user can then copy the data to a PC diskette or tape and remove it from the premises.

Several methods are available to prevent a IBM i user with *USE authority to a file from copying the file:

Setting LMTCPB(*YES) in the user profile.
Restricting authority to commands that copy files.
Restricting authority to commands used by IBM i Access.
Not giving the user *ADD authority to any library. *ADD authority is required to create a new file in a library.
Not giving the user access to any *SAVRST device.

None of these methods work for the PC user of the IBM i Access licensed program. Using an exit program to verify all requests is the only adequate protection measure.

The IBM i Access program passes information for the following types of access to the user exit program called by the PCSACC network attribute:

File transfer
Virtual print
Message
Shared folder