Object-related security

If the IBM® i product is a server system, there are two object-related levels at which security can be enforced to control access to its relational database tables.

The DDMACC parameter is used on the Change Network Attributes (CHGNETA) command to indicate whether the tables on this system can be accessed at all by another system and, if so, at which level of security the incoming DRDA requests are to be checked.

  • If *REJECT is specified on the DDMACC parameter, all distributed relational database requests received by the server are rejected. However, this system (as a client) can still use SQL requests to access tables on other systems that allow it. No remote system can access a database on any IBM i environment that specifies *REJECT.

    If *REJECT is specified while an SQL request is already in use, all new jobs from any system requesting access to this system's database are rejected and an error message is returned to those jobs; existing jobs are not affected.

  • If *OBJAUT is specified on the DDMACC parameter, normal object-level security is used on the server.

    The DDMACC parameter is initially set to *OBJAUT. A value of *OBJAUT allows all remote requests, but they are controlled by the object authorizations on this server. If the DDMACC value is *OBJAUT, the user profile used for the job must have appropriate object authorizations through private, public, group, or adopted authorities, or the profile must be on an authorization list for objects needed by the client job. For each SQL object on the system, all users, no users, or only specific users (by user ID) can be authorized to access the object.

    The user ID that must be authorized to objects is the user ID of the server job. See the Elements of security in an APPC network topic for information about what user profile the server job runs under.

    In the case of a TCP/IP connection, the server job initially starts running under QUSER. After the user ID is validated, an exchange occurs so that the job then runs under the user profile specified on the connection request. The job inherits the attributes (for example, the library list) of that user profile.

    When the value *OBJAUT is specified, it indicates that no further verification (beyond IBM i object-level security) is needed.

  • For DDM jobs, if the name of an exit program (or access control program) is specified on the DDMACC parameter, an additional level of security is used. The exit program can be used to control whether a user of a DDM client can use a specific command to access a specific file on the IBM i operating system.

    For DRDA jobs, if the name of an exit program (access control program) is specified on the DDMACC parameter, the system treats the entry as though *OBJAUT were specified, with one exception. The only effect that an exit program can have on a DRDA job is to reject a connection request.

The DDMACC parameter, initially set to *OBJAUT, can be changed to one of the previously described values by using the Change Network Attributes (CHGNETA) command, and its current value can be displayed by the Display Network Attributes (DSPNETA) command. You can also get the value in a CL program by using the Retrieve Network Attributes (RTVNETA) command.

If the DDMACC parameter value is changed, although it takes effect immediately, it affects only new distributed relational database jobs started on this system (as the server). Jobs running on this server before the change was made continue to use the old value.