This is a little belated; but here is a simple CL example of an ODBC
exit point program that disallows certain users; it is relatively easy
to modify to do other items as well.

http://www.geocities.com/alex_nubla/extdbse.txt

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
John_Bresina@xxxxxxxxxxxxxxx
Sent: Friday, September 15, 2006 3:37 PM
To: Midrange Systems Technical Discussion
Subject: Re: ODBC Security

Does anyone have an example of an exit program for ODBC.  I am not a
programmer so I wouldn't want to try to write one.  We have an audit
requirement to secure ODBC by the end of October on our production
partitions.

John Bresina Jr
Sr Server Engineer - Midrange Team
Allianz Life of North America
5701 Golden Hills Drive
Minneapolis, Mn 55416
763 582 6761


 

             rob@xxxxxxxxx

             Sent by:

             midrange-l-bounce
To 
             s@xxxxxxxxxxxx            Midrange Systems Technical

                                       Discussion

                                       <midrange-l@xxxxxxxxxxxx>

             09/15/2006 02:26
cc 
             PM

 
Subject 
                                       Re: ODBC Security

             Please respond to

             Midrange Systems

                 Technical

                Discussion

             <midrange-l@midra

                 nge.com>

 

 





Rather a recent discussion on the security list.  Searching the recent
archives might give some good insight.

Defense in depth is always the best strategy.

First, and strongest wall, should always be object authority.  Now, some
people secure everyone out of an object.  And then the only way to
access a file was via programs that adopted authority.  Knew a fellow
who did this for a company that made body parts for humans.  Like
artificial knees.  If you do this then the only way they can use ODBC is
if you copy the data to a different file that is opened for read.
Leaving all your files for read might not be a good idea.  For example
if your programs secure who can read certain fields.  For example if
your employee file has salary information in there with name and address
and certain people can look up address but only certain other people can
look up salary and that is all program restricted.  Now accessing that
file via odbc blasts by that.  Workaround, break the file apart which
some vendors do.  Or use column level security.  Nice theory but I've
not seen people use this in practice yet.  Has anyone?  Supported by
DB2.
Oh and as far as the "download file", our users quickly figured out that
they could query most any file they wanted to and overwrite the download
file and download that.

Next wall may be exit points.  Let's say your application vendor is from
the stone age.  And he requires the files to be *ALL for all users
accessing the files.  Now, you can use an exit point to restrict who can
download what data from what file.  For example I can secure Sally from
downloading from the logical that has both name and salary information
in it, but let Susie get both.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





fbocch2595@xxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
09/15/2006 01:59 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
midrange-l@xxxxxxxxxxxx
cc

Subject
ODBC Security






I wanted to get some info on the risks to giving AS400 users authority
to use ODBC.

If object authority is *use ODBC s/b ok for AS400 users to use...right?

If they have *change to AS400 objects then ODBC is not good because they
can upload data or change it via file transfer or ODBC...right?

Using an exit pgm will restrict all users except ONLY those alllowed by
the exit...which makes it the best way to secure ODBC...is that right?

Thanks for any info

Frank
________________________________________________________________________
Check out the new AOL.  Most comprehensive set of free safety and
security tools, free access to millions of high-quality videos from
across the web, free AOL Mail and more.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.




-----------------------------------------
CONFIDENTIALITY NOTICE:  The information in this message, and any files
transmitted with it, is confidential, may be legally privileged, and
intended only for the use of the individual(s) named above.  Be aware
that the use of any confidential or personal information may be
restricted by state and federal privacy laws.
If you are not the intended recipient, do not further disseminate this
message.  If this message was received in error, please notify the
sender and delete it.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.