J
johngood
Guest
Hi. I revoked access to SYSPACKAGE and granted select for SYSPACKSTMT. Running the test program, I'm able to run the query without any errors, and it runs quickly with no delays as before when the user was granted bind-add/create in and the packages were getting rebound on every call. I check of the timestamp on the packages confirms that they were not rebound. I then dropped the packages, re-ran the test app which failed due to bind permission (expected). Then I ran /opt/SDAP712/bin/bind27 'DB2 Wire Protocol' which successfully rebound the packages . After that the test app worked. So in addition to confirming the bind JCL and the bind27 utility bind the packages in a manner suitable for running the test application, (seems) to confirm that select access to SYSPACKSTMT for the connecting user is sufficient . I'm going to have to run this on a different system to make sure I didn't miss any permissions. Documentation On the topic of documentation, I curious where the SYSPACKSTMT access requirement is document, or should be documented. I couldn't find it in your doc. Security Thinking in terms of security, I expect that some DBADMs would not want to grant users access to SYSPACKSTMT . It could be considered a security vulnerability as it gives the users access to all of the statements in the packages bound in the database. Do you know if this has ever been a concern? Has development considered just trying open the package, and if it fails, confirm via the error code that the package doesn't exist? Having said that, I'm not sure what the IBM CLI packages did... Regards, John Goodyear z Systems Analytics zChampion WSC z Systems Applied Technologies Herndon, VA "Brian Derwart" ---07/16/2018 02:40:30 PM---Update from Progress Community [ INVALID URI REMOVED
Continue reading...
Continue reading...