Consider the following ODBC program security strategies.
System administrators often need to limit access to particular files, to a certain program, or to sets of programs. A programmer using the character-based interface would set restrictions by using program-adopted authority. A similar method can be used with ODBC.
Stored procedures allow ODBC programmers to implement program-adopted authority. The programmer may not want users to be able to manipulate database files by using desktop applications such as Microsoft® Access or Lotus® 1-2-3®. Instead, the programmer may want to limit database updates to only the programmer's application. To implement this, user access to the database must be restricted with object-level security or with user exit programs. The application must be written to send data requests to the stored procedure and have the stored procedure update the database.
ODBC has greatly eased the accessibility of iSeries™ data. One negative impact has been that users may accidentally create very CPU-intensive queries without realizing it. ODBC runs at an interactive job priority and this can severely affect system performance. The iSeries supports a query governor. ODBC can invoke the query governor (for example, through the PC application) in a stored procedure call. Or the ODBC APIs can invoke the governor by way of the query time-out parameter. Also, a user exit program can force the query governor on the ODBC job. The time limit is specified on the QRYTIMLMT parameter of the CHGQRYA CL command. The query options file (QAQQINI) can also be used to set the value.
The SQL Reference book contains additional information. View an HTML online version of the book, or print a PDF version, from the DB2 Universal Database™ for iSeries SQL Reference.
Also see Host server administration for more information.
Several logs can be used to monitor security. QHST, the History Log, contains messages that relate to security changes that are made to the system. For detailed monitoring of security-related functions, QAUDJRN can be enabled. The *SECURITY value logs the following functions:
For additional information, see the IBM® Security - Reference.