115 lines
7.7 KiB
HTML
115 lines
7.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Object-related security for DRDA" />
|
||
|
<meta name="abstract" content="If the iSeries server is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables." />
|
||
|
<meta name="description" content="If the iSeries server is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables." />
|
||
|
<meta name="DC.subject" content="user exit program" />
|
||
|
<meta name="keywords" content="user exit program" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rbal1secure.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../cl/chgneta.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../books/sc415406.pdf" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../cl/dspneta.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../cl/rtvneta.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rbal1exitpgms.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rbal1objsec" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Object-related security for DRDA</title>
|
||
|
</head>
|
||
|
<body id="rbal1objsec"><a name="rbal1objsec"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Object-related security for DRDA</h1>
|
||
|
<div><p>If the <span class="keyword">iSeries™ server</span> is
|
||
|
an application server (AS), there are two object-related levels at which security
|
||
|
can be enforced to control access to its relational database tables.</p>
|
||
|
<p> The DDMACC parameter is used on the <span class="cmdname">Change Network Attributes
|
||
|
(CHGNETA)</span> command to indicate whether the tables on this server
|
||
|
can be accessed at all by another system and, if so, at which level of security
|
||
|
the incoming DRDA<sup>®</sup> requests
|
||
|
are to be checked. </p>
|
||
|
<ul><li>If *REJECT is specified on the DDMACC parameter, all distributed relational
|
||
|
database requests received by the AS are rejected. However, this system (as
|
||
|
an application requester (AR)) can still use SQL requests to access tables
|
||
|
on other systems that allow it. No remote system can access a database on
|
||
|
any <span class="keyword">iSeries server</span> that specifies
|
||
|
*REJECT. <p>If *REJECT is specified while an SQL request is already in use,
|
||
|
all <em>new</em> jobs from any system requesting access to this system's database
|
||
|
are rejected and an error message is returned to those jobs; existing jobs
|
||
|
are not affected.</p>
|
||
|
</li>
|
||
|
<li>If *OBJAUT is specified on the DDMACC parameter, normal object-level security
|
||
|
is used on the AS. <p>The DDMACC parameter is initially set to *OBJAUT. A
|
||
|
value of *OBJAUT allows all remote requests, but they are controlled by the
|
||
|
object authorizations on this AS. If the DDMACC value is *OBJAUT, the user
|
||
|
profile used for the job must have appropriate object authorizations through
|
||
|
private, public, group, or adopted authorities, or the profile must be on
|
||
|
an authorization list for objects needed by the AR job. For each SQL object
|
||
|
on the system, all users, no users, or only specific users (by user ID) can
|
||
|
be authorized to access the object.</p>
|
||
|
<p>The user ID that must be authorized
|
||
|
to objects is the user ID of the AS job. See the <a href="../ddm/rbae5elementappc.htm">Elements of DDM Security in an APPC network </a> topic for
|
||
|
information about what user profile the AS job runs under.</p>
|
||
|
<p>In the case
|
||
|
of a TCP/IP connection, the server job initially starts running under QUSER.
|
||
|
After the user ID is validated, an exchange occurs so that the job then runs
|
||
|
under the user profile specified on the connection request. The job inherits
|
||
|
the attributes (for example, the library list) of that user profile.</p>
|
||
|
<p>When
|
||
|
the value *OBJAUT is specified, it indicates that no further verification
|
||
|
(beyond <span class="keyword">iSeries</span> object level
|
||
|
security) is needed.</p>
|
||
|
</li>
|
||
|
<li>For DDM jobs, if the name of an optional, user-supplied user exit program
|
||
|
(or access control program) is specified on the DDMACC parameter, an additional
|
||
|
level of security is used. The user exit program can be used to control whether
|
||
|
a user of a DDM client can use a specific command to access a specific file
|
||
|
on the iSeries server.
|
||
|
<p>For DRDA jobs,
|
||
|
if the name of an optional, user-supplied user exit program (access control
|
||
|
program) is specified on the DDMACC parameter, the system treats the entry
|
||
|
as though *OBJAUT were specified, with one exception. The only effect that
|
||
|
a user-written exit program can have on a DRDA job is to reject a connection request. </p>
|
||
|
</li>
|
||
|
</ul>
|
||
|
<p>The DDMACC parameter, initially set to *OBJAUT, can be changed to one of
|
||
|
the previously described values by using the <span class="cmdname">Change Network Attributes
|
||
|
(CHGNETA)</span> command, and its current value can be displayed by the <span class="cmdname">Display
|
||
|
Network Attributes (DSPNETA)</span> command. You can also get the value
|
||
|
in a CL program by using the <span class="cmdname">Retrieve Network Attributes (RTVNETA)</span> command.</p>
|
||
|
<p>If the DDMACC parameter value is changed, although it takes effect immediately,
|
||
|
it affects only <em>new</em> distributed relational database jobs started on
|
||
|
this system (as the AS). Jobs running on this AS before the change was made
|
||
|
continue to use the old value.</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1secure.htm" title="The iSeries server has security elements built into the operating system to limit access to the data resources of an application server. Security options range from simple physical security to full password security coupled with authorization to commands and data objects.">Security</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="../books/sc415406.pdf " target="_blank">Communications Management PDF</a></div>
|
||
|
<div><a href="rbal1exitpgms.htm" title="A security feature of the Distributed Relational Database Architecture (DRDA) server, for use with both Advanced Program-to-Program Communication (APPC) and TCP/IP, extends the use of the DDMACC parameter of the Change Network Attributes (CHGNETA) command to DRDA.">DRDA server access control exit programs</a></div>
|
||
|
</div>
|
||
|
<div class="relref"><strong>Related reference</strong><br />
|
||
|
<div><a href="../cl/chgneta.htm">Change Network Attributes (CHGNETA) command</a></div>
|
||
|
<div><a href="../cl/dspneta.htm">Display Network Attributes (DSPNETA) command</a></div>
|
||
|
<div><a href="../cl/rtvneta.htm">Retrieve Network Attributes (RTVNETA) command</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|