ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvifsqsyslib.htm

85 lines
5.4 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Restrict access to the QSYS.LIB file system" />
<meta name="abstract" content="You can use this information to restrict access to the QSYS.LIB file system." />
<meta name="description" content="You can use this information to restrict access to the QSYS.LIB file system." />
<meta name="DC.Relation" scheme="URI" content="rzamvplanifssec.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="ifsqsyslib" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Restrict access to the QSYS.LIB file system</title>
</head>
<body id="ifsqsyslib"><a name="ifsqsyslib"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Restrict access to the QSYS.LIB file system</h1>
<div><p>You can use this information to restrict access to the QSYS.LIB
file system.</p>
<p>Because the root file system is the umbrella file system,
the QSYS.LIB file system appears as a subdirectory within the root directory.
Therefore, any PC user with access to your server can manipulate objects stored
in server libraries (the QSYS.LIB file system) with normal PC commands and
actions. A PC user could, for example, drag a QSYS.LIB object (such as the
library with your critical data files) to the shredder. </p>
<p>The system enforces all object authority whether or not it is visible to
the interface. Therefore, a user cannot shred (delete) an object unless the
user has *OBJEXIST authority to the object. However, if your system depends
on menu access security rather than object security, the PC user might very
well discover objects in the QSYS.LIB file system that are available for shredding.</p>
<p>As you expand the uses of your system and the different methods of access
that you provide, you will soon discover that menu access security is not
sufficient. However, servers also provide a simple way for you to prevent
access to the QSYS.LIB file system through the root file system directory
structure. You can use the QPWFSERVER authorization list to control which
users can access the QSYS.LIB file system through the root directory. </p>
<p>When a users authority to the QPWFSERVER authorization list is *EXCLUDE,
the user cannot enter the QSYS.LIB directory from the root directory structure.
When a users authority is *USE, the user can enter the directory. Once the
user has authority to enter the directory, normal object authority applies
for any action the user attempts to perform on an object within the QSYS.LIB
file system. In other words, the authority to the QPWFSERVER authorization
list acts like a door to the entire QSYS.LIB file system. For the user with
*EXCLUDE authority, the door is locked. For the user with *USE authority (or
any greater authority), the door is open.</p>
<div class="p">For most situations, users do not need to use a directory interface to
access objects in the QSYS.LIB file system. Probably, you will want to set
the public authority to the QPWFSERVER authorization list to *EXCLUDE. Keep
in mind, that authority to the authorization list opens or closes the door
to all libraries within the QSYS.LIB file system, including user libraries.
If you encounter users who object to this exclusion, you can evaluate their
requirements on an individual basis. If appropriate, you can explicitly authorize
an individual user to the authorization list. However, you need to ensure
that the user has appropriate authority to objects within the QSYS.LIB file
system. Otherwise, the user might unintentionally delete objects or entire
libraries.<div class="note"><span class="notetitle">Note:</span> <ol><li>When your system ships, the public authority to the QPWFSERVER authorization
list is *USE.</li>
<li>If you explicitly authorize an individual user, the authorization list
controls access only with iSeries™ Access file serving, NetServer™ file serving and file serving
between servers. This does not prevent access to the same directories via
FTP, ODBC, and other networks.</li>
</ol>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplanifssec.htm" title="The integrated file system provides you with multiple ways to store and view information on the server.">Plan integrated file system security</a></div>
</div>
</div>
</body>
</html>