RE: MS Access and DB2

RE: MS Access and DB2

 

  

Would you agree that if the broker is run on the client, the security
offered by the broker can be circumvented? Since the broker has full access
to the database, it has to use a user/password that is granted full access.
That user and password is by necessity stored on the same machine as the
broker (i.e. the client), so the user on the client would also have access
to that.

If I am mistaken about this, then I would really like to know how you have
plugged that security hole. I would be interested in using that technique
myself.

-----Original Message-----
From: Jay Grubb
[mailto:db2udbdba-ezmlmshield-x57542080.[Email address protected]
Sent: Tuesday, March 29, 2005 12:01 PM
To: LazyDBA Discussion
Subject: RE: MS Access and DB2

The broker can run on any system that supports the DB2 Native client.
Frequently it is installed on the DB Server. This allows the client systems
freedom from installing/configuring DB2 client, which can ease
administrative pain. The Broker can also host all the config information,
and the Windows and Mac client drivers have the ability to browse the
network for brokers and connections, with preconfigured settings.

Jay Grubb
Technical Consultant
OpenLink Software
Web: http://www.openlinksw.com:
Product Weblogs:
Virtuoso: http://www.openlinksw.com/weblogs/virtuoso
UDA: http://www.openlinksw.com/weblogs/uda
Universal Data Access & Virtual Database Technology Providers

-----Original Message-----
From: Vanderhoof Tzadik
[mailto:db2udbdba-ezmlmshield-x25749910.[Email address protected]
Sent: Tuesday, March 29, 2005 10:12 AM
To: LazyDBA Discussion
Subject: RE: MS Access and DB2


Where is your request broker running, on the client or on the server? If it
runs on the client, then it seems that the user could bypass it.

-----Original Message-----
From: Jay Grubb
[mailto:db2udbdba-ezmlmshield-x18827277.[Email address protected]
Sent: Thursday, March 24, 2005 6:15 PM
To: LazyDBA Discussion
Subject: RE: MS Access and DB2

There is a way, without re-doing your current apps and permissions.
Apologies for the evangelizing, but I have an Idea. My company has a
solution that can solve this issue. We have a Multi-Tier ODBC solution that
can do 2 things:

1) Have them connect to DB/2 from their desktops apps using ODBC through a
request broker, that has a rules engine. The rules engine can enforce
read-only connections to the db's based on the Username, The originating ip
address, the calling Program, etc. Check out section 7.3.6.5. on this
page.

http://docs.openlinksw.com/mt/oplsessadminconf.html#adass4cr8tingrules

It shows creating a rule that enforces read-only to MS Access. This means
you don't need to change User access rules that might effect your current
apps. So, if you have user authenticate with a password in a custom app you
designed, they can still modify the data. The same username would not be
able to modify with access, excel, etc, if you decide to not let them. It
would still have the same Privileges, but the middleware would reject the
modifications.

2) Give users ODBC access to DB/2 (and other db's) without requiring DB/2
to be installed at the desktop.

We have free demos for download.

Jay Grubb
Technical Consultant
OpenLink Software
Web: http://www.openlinksw.com:
Product Weblogs:
Virtuoso: http://www.openlinksw.com/weblogs/virtuoso
UDA: http://www.openlinksw.com/weblogs/uda
Universal Data Access & Virtual Database Technology Providers

-----Original Message-----
From: Anthony Schmidt [mailto:db2udbdba-ezmlmshield-x72007784.[Email address
protected]
Sent: Thursday, March 24, 2005 5:46 PM
To: LazyDBA Discussion
Subject: MS Access and DB2


How do you protect your DB2 database from users who have tools like MS
Access?

Another way to ask this question is -

How can you prevent users from writing their own applications that can
Insert, Delete, Update, etc. in the database.

These users have the DB2 runtime client to run applications I've written,
but since DB2 security is based at the network OS level, there doesn't
appear to be a way to really protect the database.

I've only provided them with OLEDB connectivity, and for now it appears
that MS Access doesn't support that on DB2, so that's a stopgap measure
for now. But I'll bet MS Access will support DB2 on OLEDB in some future
release.

Tony

==============================
Anthony Schmidt
President
The Computery Ltd.
One East Main Street
Bay Shore, NY 11706

631-665-8100 Voice
631-969-5988 Fax

http://www.computeryltd.com


---------------------------------------------------------------------
PLEASE CLICK REPLY-ALL TO SEND A REPLY TO EVERYONE
website: http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html





---------------------------------------------------------------------
PLEASE CLICK REPLY-ALL TO SEND A REPLY TO EVERYONE
website: http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html


---------------------------------------------------------------------
PLEASE CLICK REPLY-ALL TO SEND A REPLY TO EVERYONE
website: http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html





---------------------------------------------------------------------
PLEASE CLICK REPLY-ALL TO SEND A REPLY TO EVERYONE
website: http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html

DB2 & UDB email list listserv db2-l LazyDBA home page