Common ODBC strategies that are not secure

 

Avoid some common iSeries Access ODBC security techniques to ensure your environment is secure.

Sometimes system administrators attempt to secure access to the data, rather than securing the data itself. This is extremely risky, as it requires that administrators understand ALL of the methods by which users can access data. Some common ODBC security techniques to avoid are:

 

Command line security

This may be useful for a character-based interface or for 5250 emulation-based applications. However, this method assumes that if you prevent users from entering commands in a 5250 emulation session, they can access data only through the programs and menus that the system administrator provides to them. Therefore, command line security is never truly secure. The use of iSeries Access for Windows policies and Application Administration improve security, and use of object level authority improves it even more.

Potentially, System i Access for Windows policies can restrict ODBC access to a particular data source that might be read only. Application Administration in iSeries Navigator can prevent ODBC access.

For additional information, see the IBM® Security - Reference.

 

User exit programs

A user exit program allows the system administrator to secure an IBM-supplied host server program. The iSeries Access ODBC driver uses the Database host server: exit points QIBM_QZDA_INIT; QIBM_QZDA_NDBx; and QIBM_QZDA_SQLx. Some ODBC drivers and iSeries Access for Windows data access methods (such as OLE DB) may use other host servers.

 

Journals

Journaling often is used with client/server applications to provide commitment control. The journals contain detailed information on every update made to a file that is being journaled. The journal information can be formatted and queried to return specific information, including:

Journaling also allows user-defined journal entries. When used with a user exit program or trigger, this offers a relatively low-overhead method of maintaining user-defined audits. For further information, see the Backup and Recovery.

 

Data Source Name (DSN) restrictions

The iSeries Access ODBC driver supports a DSN setting to give read-only access to the database. The iSeries Access ODBC driver supports a read-only and a read-call data source setting. Although not secure, these settings can assist in preventing inadvertent delete and update operations.

 

Parent topic:

iSeries Access for Windows ODBC security
Related information
iSeries Security - Reference Backup and Recovery