Object-related security for DRDA
If the System i™ product is an application server (AS), there are two object-related levels at which security can be enforced to control access to its relational database tables.
The DDMACC parameter is used on the Change Network Attributes (CHGNETA) command to indicate whether the tables on this system can be accessed at all by another system and, if so, at which level of security the incoming DRDA® requests are to be checked.
- If *REJECT is specified on the DDMACC parameter, all distributed relational database requests received by the AS are rejected. However, this system (as an application requester (AR)) can still use SQL requests to access tables on other systems that allow it. No remote system can access a database on any System i environment that specifies *REJECT.
If *REJECT is specified while an SQL request is already in use, all new jobs from any system requesting access to this system's database are rejected and an error message is returned to those jobs; existing jobs are not affected.
- If *OBJAUT is specified on the DDMACC parameter, normal object-level security is used on the AS.
The DDMACC parameter is initially set to *OBJAUT. A value of *OBJAUT allows all remote requests, but they are controlled by the object authorizations on this AS. If the DDMACC value is *OBJAUT, the user profile used for the job must have appropriate object authorizations through private, public, group, or adopted authorities, or the profile must be on an authorization list for objects needed by the AR job. For each SQL object on the system, all users, no users, or only specific users (by user ID) can be authorized to access the object.
The user ID that must be authorized to objects is the user ID of the AS job. See the Elements of DDM security in an APPC network topic for information about what user profile the AS job runs under.
In the case of a TCP/IP connection, the server job initially starts running under QUSER. After the user ID is validated, an exchange occurs so that the job then runs under the user profile specified on the connection request. The job inherits the attributes (for example, the library list) of that user profile.
When the value *OBJAUT is specified, it indicates that no further verification (beyond i5/OS® object-level security) is needed.
- For DDM jobs, if the name of an exit program (or access control program) is specified on the DDMACC parameter, an additional level of security is used. The exit program can be used to control whether a user of a DDM client can use a specific command to access a specific file on the i5/OS operating system.
For DRDA jobs, if the name of an exit program (access control program) is specified on the DDMACC parameter, the system treats the entry as though *OBJAUT were specified, with one exception. The only effect that an exit program can have on a DRDA job is to reject a connection request.
The DDMACC parameter, initially set to *OBJAUT, can be changed to one of the previously described values by using the Change Network Attributes (CHGNETA) command, and its current value can be displayed by the Display Network Attributes (DSPNETA) command. You can also get the value in a CL program by using the Retrieve Network Attributes (RTVNETA) command.
If the DDMACC parameter value is changed, although it takes effect immediately, it affects only new distributed relational database jobs started on this system (as the AS). Jobs running on this AS before the change was made continue to use the old value.
Parent topic:
Security
Related concepts
Communications Management PDF
DRDA server access control exit programs
Related reference
Change Network Attributes (CHGNETA) command
Display Network Attributes (DSPNETA) command
Retrieve Network Attributes (RTVNETA) command