How To
Summary
To allow a user profile to be able to read data from certain libraries and files on the system, while preventing the user from making changes to the data. This procedure can be used to allow certain users connecting via ODBC/JDBC to only be able to read data from a specific set of libraries.
Objective
The procedure outlined below creates a user profile to be used on the System as a Read-Only user that has access to read data in specific library but is not allow to make changes to the data. The procedure excludes the user from all Non-IBM libraries and restricts it to a defined set of libraries.
Environment
The procedure outlined in this document, uses OS based Security commands making it compatible with all Versions of the Operating System.
Steps
The procedure outlined below starts by first creating a user profile to be used on the System as a Read-Only user profile that will have access to read data in specific library but not allow to make changes to the data. The procedure excludes the user profile from all Non-IBM libraries and allows access to a defined set of libraries where the user is allowed to read data but not make changes to it.
NOTE: This procedure does not secure access to IFS directories.
Implementation:
1) Create a new profile:
This steps creates a User Profile with a *USER class and no special authorities.
CRTUSRPRF USRPRF(TPAODBC) PASSWORD() TEXT('Read Only User Profile')
NOTE: Specify a Password for the user profile.
2) Exclude the user from all libraries:
This steps excludes the user profile from all Libraries on the System.
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
3) Grant the user authority to IBM program libraries:
This steps reauthorizes the user to IBM Qxxxx libraries and other System Libraries on the system.
RVKOBJAUT OBJ(QSYS/Q*) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
RVKOBJAUT OBJ(QSYS/SYSPROC) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
RVKOBJAUT OBJ(QSYS/SYSIBM) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
RVKOBJAUT OBJ(QSYS/SYSIBMADM) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
RVKOBJAUT OBJ(QSYS/SYSSQL) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
RVKOBJAUT OBJ(QSYS/SYSTOOLS) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
NOTE: Required step to allow the user to be able to Signon and perform work on the system.
4) Revoke the *EXCLUDE from the data library:
This steps authorizes the user profile to the library that holds the objects/files for the data inquiry operations.
RVKOBJAUT OBJ(QSYS/DATA) OBJTYPE(*LIB) USER(TPAODBC) AUT(*EXCLUDE)
NOTE: Where DATA is the name of the library where the user is allowed access on the system.
NOTE: Repeat for any other libraries where the user would be allowed to access.
5) Exclude the user from all the objects in the DATA library:
This step excludes the user profile from all objects in the library that holds the objects/ for data inquiry operations.
GRTOBJAUT OBJ(DATA/*ALL) OBJTYPE(*ALL) USER(TPAODBC) AUT(*EXCLUDE)
NOTE: The command excludes the user from all objects in the DATA library.
NOTE: Repeat if additional libraries were include in Step 4.
6) Authorize the user to the objects that are needed for the Data Inquiries:
This step authorizes the user profile to the objects for data inquiry operations with the authority of *USE(Read Only).
GRTOBJAUT OBJ(DATA/*ALL) OBJTYPE(*FILE) USER(TPAODBC) AUT(*USE)
NOTE: On the previous command, the user is assigned *USE authority to all files in the library DATA. You need to repeat the command, if the user requires access to additional object types in the library.
NOTE: The exclusion of this user from objects (all libraries in Step 2, and all objects in certain libraries in Step 5) has no effect on objects created in the future. If another library is created, the user may have access to that library through it's *PUBLIC authority. Public authority for new objects is either determined by the System Value QCRTAUT or the AUT value on the Library Description. If objects are created in the library DATA after this point, the user is not excluded from them, and could, potentially have access them.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
04 March 2025
UID
ibm17184496