From: Chris Ringer To: All

I need some feedback regarding AS/400 security and how to best implement it. My feeling is that the AS/400 security is too proprietary; if we ever migrate to another system, our object security will be lost during the migration.

Therefore, I've been toying with the idea of building security into my software. I would still set up security as usual in the AS/400, but I would have my program use the Check Object (CHKOBJ) command in a CL program to see if the user has authority to an object. My CL program would be called right away whenever a user attempted to run a program. With this approach, if we ever migrate to another system, I have to change only one program to reinstate my security scheme.

I believe that the AS/400 security checks would still be performed only once since security is not checked until a user accesses an object. Since my program would check the authority, the program would never get to the point of accessing the object if the user did not have authority to it.

I would appreciate all comments.

From: Carol Smith To: Chris Ringer

We are using a security program like the one you are talking about. We have a file set up with the name of the user and the programs he is allowed to run. If we have a user who needs access to everything, we set him up with one record with a special code in the program field. The program bypasses security checking for that person.

We pass the name of the program back to the user in a message that says the program is not available. When the user can't get into the program, he can tell us which program name to set up.

It did get a little tiresome with so many requests for access to programs.

Now we are using a program that stores each user's menu in a database file. The security program worked fine though. You might think about setting up something with group profiles instead of individual user profiles. You can retrieve the group profile with the Retrieve User Profile (RTVUSRPRF) command.