Skip to content
  • Articles
  • About API – my my

Articles on Apis

APIs by Example

Written by Carsten FlensburgAugust 25, 2005August 26, 2017

APIs by Example: User Function Registration APIs, Part 2

This week I will continue coverage of the User Function Registration APIs. You’ll get more information about the APIs and two new commands that you can call from your CL programs or the command line to add and retrieve User Function usage for a user profile. Also included are some comments and insight into the design and concepts of the User Function Registration APIs provided by Patrick Botz, who is a Senior Technical Staff Member with the eServer Security Architecture & Consulting team of IBM’s Client Technology Center in Rochester.

In part one of this article, I was very concerned about pointing out that User Function APIs as such would not offer any protection against access to resources outside of the application(s) implementing the User Function check. This is, of course, correct and worth considering. Admittedly, I didn’t go into detail about how the User Function APIs will provide an effective authorization facility even when taking this caution into account.

This prompted the following response from Patrick Botz, who emphasized that the User Function APIs were not designed to protect access to unprotected objects, but were rather created to provide the equivalent of Application Defined Special Authority/Privileges. Patrick illustrated this point with the following example:

“Consider a large application. All users must be allowed to use the application programs. However, some programs in the application provide multiple application functions. For example, a program provides the option to create a report of customer credit card balances with and without credit card numbers.

All authorized application users should be allowed to see the report without the credit card numbers, but only a few are allowed to see the reports with the credit card numbers.

No user is authorized to the database files that contain the information. The program adopts enough authority to access the database files. The application programmer can choose to create an application specific function/special authority by using the function usage APIs.

The programmer can design the application to check if the requested user is allowed access to the “CREDIT CARD NUMBER” function. Only if she or he does will the application produce the report with the sensitive data. A user can only see the sensitive data if they:

  1. Are authorized to the application; and
  2. Are allowed CREDIT CARD NUMBER functional usage (i.e. have CREDIT CARD NUMBER special authority).

This is essentially the same as existing commands and APIs that require access to the resource and *JOBCTL. In other words, the function acts the same way as a special authority.”

Thanks to Patrick Botz for taking the time to provide background and perspective on the User Function APIs. In the next API by Example column, I will present a sample application based on the methodology described above.

Download the save file containing the source code.

Read the entire article

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Posted in Security, Systems management, User profile.

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Archives

Category

API usage Application modernization Commands Cross reference Cryptographic services Database file Data queue Date and time Digital certificate manager Display file Document conversion DSM eBook Environment variables Exit points Hardware Help panel IFS Job Job accounting Job queue Job scheduler Job screen Journal LAN Locales Messages MI Module information NetServer Object Object authority Object locks Output queue PEX Printer Programs PTF Query Retrive journal entries RPG Save & restore Security SMTP Spooled files SQL Subsystem Systems management TCP/IP Tips Track exports Trigger UIM User profile User spaces Validation lists Watch definition Workload capping groups Work management XML ZIP

Blogroll

  • Scott Klement's site
  • Dan Riehl's site
  • Lillian Boutté
  • Anette Harboe Flensburg
  • Eamon O'Kane

Post navigation

Previous Post Retrieve and Display a User’s E-mail Address
Next Post New Command to Print Journaled and Non-Journaled Objects
Create a free website or blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • Articles on Apis
    • Already have a WordPress.com account? Log in now.
    • Articles on Apis
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
%d bloggers like this: