ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddp_5.4.0.1/rbal1objsec.htm

115 lines
7.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Object-related security for DRDA" />
<meta name="abstract" content="If the iSeries server is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables." />
<meta name="description" content="If the iSeries server is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables." />
<meta name="DC.subject" content="user exit program" />
<meta name="keywords" content="user exit program" />
<meta name="DC.Relation" scheme="URI" content="rbal1secure.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/chgneta.htm" />
<meta name="DC.Relation" scheme="URI" content="../books/sc415406.pdf" />
<meta name="DC.Relation" scheme="URI" content="../cl/dspneta.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/rtvneta.htm" />
<meta name="DC.Relation" scheme="URI" content="rbal1exitpgms.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbal1objsec" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Object-related security for DRDA</title>
</head>
<body id="rbal1objsec"><a name="rbal1objsec"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Object-related security for DRDA</h1>
<div><p>If the <span class="keyword">iSeries™ server</span> is
an application server (AS), there are two object-related levels at which security
can be enforced to control access to its relational database tables.</p>
<p> The DDMACC parameter is used on the <span class="cmdname">Change Network Attributes
(CHGNETA)</span> command to indicate whether the tables on this server
can be accessed at all by another system and, if so, at which level of security
the incoming DRDA<sup>®</sup> requests
are to be checked. </p>
<ul><li>If *REJECT is specified on the DDMACC parameter, all distributed relational
database requests received by the AS are rejected. However, this system (as
an application requester (AR)) can still use SQL requests to access tables
on other systems that allow it. No remote system can access a database on
any <span class="keyword">iSeries server</span> that specifies
*REJECT. <p>If *REJECT is specified while an SQL request is already in use,
all <em>new</em> jobs from any system requesting access to this system's database
are rejected and an error message is returned to those jobs; existing jobs
are not affected.</p>
</li>
<li>If *OBJAUT is specified on the DDMACC parameter, normal object-level security
is used on the AS. <p>The DDMACC parameter is initially set to *OBJAUT. A
value of *OBJAUT allows all remote requests, but they are controlled by the
object authorizations on this AS. If the DDMACC value is *OBJAUT, the user
profile used for the job must have appropriate object authorizations through
private, public, group, or adopted authorities, or the profile must be on
an authorization list for objects needed by the AR job. For each SQL object
on the system, all users, no users, or only specific users (by user ID) can
be authorized to access the object.</p>
<p>The user ID that must be authorized
to objects is the user ID of the AS job. See the <a href="../ddm/rbae5elementappc.htm">Elements of DDM Security in an APPC network </a> topic for
information about what user profile the AS job runs under.</p>
<p>In the case
of a TCP/IP connection, the server job initially starts running under QUSER.
After the user ID is validated, an exchange occurs so that the job then runs
under the user profile specified on the connection request. The job inherits
the attributes (for example, the library list) of that user profile.</p>
<p>When
the value *OBJAUT is specified, it indicates that no further verification
(beyond <span class="keyword">iSeries</span> object level
security) is needed.</p>
</li>
<li>For DDM jobs, if the name of an optional, user-supplied user exit program
(or access control program) is specified on the DDMACC parameter, an additional
level of security is used. The user exit program can be used to control whether
a user of a DDM client can use a specific command to access a specific file
on the iSeries server.
<p>For DRDA jobs,
if the name of an optional, user-supplied user exit program (access control
program) is specified on the DDMACC parameter, the system treats the entry
as though *OBJAUT were specified, with one exception. The only effect that
a user-written exit program can have on a DRDA job is to reject a connection request. </p>
</li>
</ul>
<p>The DDMACC parameter, initially set to *OBJAUT, can be changed to one of
the previously described values by using the <span class="cmdname">Change Network Attributes
(CHGNETA)</span> command, and its current value can be displayed by the <span class="cmdname">Display
Network Attributes (DSPNETA)</span> command. You can also get the value
in a CL program by using the <span class="cmdname">Retrieve Network Attributes (RTVNETA)</span> command.</p>
<p>If the DDMACC parameter value is changed, although it takes effect immediately,
it affects only <em>new</em> distributed relational database jobs started on
this system (as the AS). Jobs running on this AS before the change was made
continue to use the old value.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1secure.htm" title="The iSeries server has security elements built into the operating system to limit access to the data resources of an application server. Security options range from simple physical security to full password security coupled with authorization to commands and data objects.">Security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="../books/sc415406.pdf " target="_blank">Communications Management PDF</a></div>
<div><a href="rbal1exitpgms.htm" title="A security feature of the Distributed Relational Database Architecture (DRDA) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, extends the use of the DDMACC parameter of the Change Network Attributes (CHGNETA) command to DRDA.">DRDA server access control exit programs</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../cl/chgneta.htm">Change Network Attributes (CHGNETA) command</a></div>
<div><a href="../cl/dspneta.htm">Display Network Attributes (DSPNETA) command</a></div>
<div><a href="../cl/rtvneta.htm">Retrieve Network Attributes (RTVNETA) command</a></div>
</div>
</div>
</body>
</html>