Login

Consultor Eletrônico



Kbase 21558: Progress/400 DataServer User Security
Autor   Progress Software Corporation - Progress
Acesso   Público
Publicação   04/06/2004
Status: Verified

GOAL:

User authorities or privileges required for Progress/400 DataServer in as/400

GOAL:

How to regulate user authorities or privileges so that physical files on the AS/400 cannot be modified and/or accessed via the 5250 terminal emulator yet to have necessary rights in order to run Progress application against the DB2/400 DB?

FACT(s) (Environment):

Progress/400 DataServer

FIX:

It is often required that application security be consistent with the operating system authorizations. System users who have limited access through a Progress application should not be able to do much more when they work "natively" on AS/400.

By default the owner of the Progress DataServer programs is QSECOFR, or the profile used for the product installation (usually it is required that this profile is granted QSECOFR authorities). Authority checking while the program is running on AS/400 is basically done based on the USRPRF option which is set to *USER by default. It is used to control which objects can be used by the program. With the default settings, it depends on users who are running the program -- whether they have appropriate rights to access database objects. All remote clients connecting to the Progress broker on AS/400 must provide valid profile information (user/password) which is then used to validate authority to objects of the spawned PROSERVE job.

Sometimes the application user must perform update or change operations on AS/400 files through a Progress 4GL Application. However, the same user shouldn't access these objects by using AS/400 commands like DSPPFM. Modifying the USRPRF attribute of the Progress/400 DataServer programs can provide the solution.

If the option USRPRF of the programs is changed from *USER to *OWNER, the jobs will use user + program's owner authority to access objects. Thus, provided that the program's owner has authority to access OS/400 files (and *PUBLIC is granted the *EXCLUDE right) the specific user will be able to access these files only through a PROSERVE job (Progress Application) and they will never get access via "normal" sign on.

The commands to use are:

1) CHGPGM PGM(INS_Library/*ALL) USRPRF(*OWNER)

2) GRTOBJAUT OBJ(DD_Library/*ALL) OBJTYPE(*FILE) USER(*PUBLIC)
AUT(*EXCLUDE)

The INS_Library is the library where Progress/400 DataServer has been installed. The "DD_Library" is the location of the database files - Data Dictionary Library.