Risks and recommendations

Use the instructions in this topic to protect the files on your system.

Normal security measures on your system might not be sufficient protections if the IBM i Access program is installed on your system. For example, if a user has *USE authority to a file and the PCSACC network attribute is *OBJAUT, the user can use the IBM i Access program and a program on the personal computer to transfer that entire file to the personal computer. The user can then copy the data to tape and remove it from the premises.

Several methods are available to prevent a IBM i user with *USE authority to a file from copying the file:

Setting LMTCPB(*YES) in the user profile.
Restricting authority to commands that copy files.
Restricting authority to commands used by IBM i Access.
Not giving the user *ADD authority to any library. *ADD authority is required to create a new file in a library.
Not giving the user access to any *SAVRST device.

None of these methods work for the PC user of the IBM i Access licensed program. Using an exit program to verify all requests is the only adequate protection measure.

The IBM i Access program passes information for the following types of access to the user exit program called by the PCSACC network attribute:

File transfer
Virtual print
Message
Shared folder