ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddm_5.4.0.1/rbae5exitpgm.htm

93 lines
7.4 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="DDM server access control exit program for additional security" />
<meta name="abstract" content="Customers who use menu-level security, which is accomplished by restricting the user's access to functions on the server, are likely to have a large number of public files. Public files are those files to which the public has some or all authority. A user exit program allows you to restrict each DDM user's access to public files and to private files." />
<meta name="description" content="Customers who use menu-level security, which is accomplished by restricting the user's access to functions on the server, are likely to have a large number of public files. Public files are those files to which the public has some or all authority. A user exit program allows you to restrict each DDM user's access to public files and to private files." />
<meta name="DC.subject" content="security, user exit program" />
<meta name="keywords" content="security, user exit program" />
<meta name="DC.Relation" scheme="URI" content="rbae5ddm1.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5userrequirement.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5userparameterl.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5userexitpgmex.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5parameterlist.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5exitpgms.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5uepcsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rbae5elementappc.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbae5exitpgm" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>DDM server access control exit program for additional security</title>
</head>
<body id="rbae5exitpgm"><a name="rbae5exitpgm"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">DDM server access control exit program for additional security</h1>
<div><p>Customers who use menu-level security, which is accomplished by
restricting the user's access to functions on the server, are likely to have
a large number of public files. <dfn class="term">Public files</dfn> are those files
to which the public has some or all authority. A user exit program allows
you to restrict each DDM user's access to public files and to private files.</p>
<div class="section"><p>The name of the program must be specified on the DDMACC parameter
of the <span class="cmdname">Change Network Attributes (CHGNETA)</span> command.</p>
</div>
<div class="section"><p>User exit programs also let you block or filter DDM connection
requests. All connection requests made by a DDM source system
can be denied, or access to selected users can be granted. The user exit program
must exist on the target server. The target DDM support calls this program:</p>
<ul><li>For each user's <em>initial</em> reference to a file to verify whether the
user can have access to the file. When a file is referred to for I/O operations,
this verification occurs only once, when the file is opened. The user exit
program indicates to the TDDM whether the access request is accepted or rejected.</li>
<li>For each DDM connection request.</li>
<li>For each of the other functions listed in the <em>Subapplication</em> field
of the table in <a href="rbae5userparameterl.htm#rbae5userparameterl__rbae5exittbl">Table 1</a>.</li>
</ul>
</div>
<div class="section"><p>When a user exit program is specified, the TDDM first checks for
errors in the access request that is received from the source server. If no
errors are detected, the TDDM builds the parameter list, calls the user exit
program, and passes the parameter list to it.</p>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rbae5userrequirement.htm">User exit program requirement</a></strong><br />
The purpose of the exit program created by the user is to determine whether a user's access request is to be accepted or rejected. It does so using the values that are passed to it in the parameter list.</li>
<li class="ulchildlink"><strong><a href="rbae5userparameterl.htm">User exit program parameter list for DDM</a></strong><br />
The user exit program on the target server passes two parameter values: a character return code field and a character data structure containing various parameter values.</li>
<li class="ulchildlink"><strong><a href="rbae5userexitpgmex.htm">User exit program example for DDM</a></strong><br />
This user exit program represents the source code for a program that is created by a security officer on a remote system in Chicago.</li>
<li class="ulchildlink"><strong><a href="rbae5parameterlist.htm">Parameter list example for DDM</a></strong><br />
The commands in this topic are in a CL program that a user named KAREN on the source server (NEWYORK) is using. The remote location configuration of the target server (CHICAGO) specifies SECURELOC(*YES) for the NEWYORK source server. This action indicates that user IDs are to be sent and that a user profile for KAREN exists on the target server.</li>
<li class="ulchildlink"><strong><a href="rbae5exitpgms.htm">DRDA server access control exit programs with example</a></strong><br />
A security feature of the DRDA<sup>®</sup> server, for both APPC and TCP/IP use,
extends the use of the DDMACC parameter of the <span class="cmdname">CHGNETA</span> command
to DRDA<sup>®</sup>. </li>
<li class="ulchildlink"><strong><a href="rbae5uepcsd.htm">User exit program considerations for DDM</a></strong><br />
There are some considerations that you should understand before using user exit programs for DDM.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5ddm1.htm" title="This topic describes how iSeries security relates to DDM, and how it can limit access to the data resources of a target server by source server programs and users.">Security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rbae5elementappc.htm" title="When Distributed Relational Database Architecture (DRDA) is used, the data resources of each server in the DRDA environment should be protected.">Elements of security in an APPC network</a></div>
</div>
</div>
</body>
</html>