Field Level Security

Troubleshooting

Problem

This document provides information about how to implement field or column level security on the IBM® System i™ products.

Resolving The Problem

How can someone implement field level security?

To implement field level security, use one of the following methods:

o	Use the SQL GRANT/REVOKE command to invoke field level security for select, insert, update, and so on. However, this might not prevent users from reading data in a file, such as the salary field in an Employee file. This is documented in the SQL Reference under the Statements Chapter under the GRANT (Table Privileges) statement.
o	Invoking field level security is to use Logical Files. Use the EDTOBJAUT command to give the users you want to prevent from seeing the physical file Read and Execute data authorities and No Object authority. Then, create a logical file showing only the fields you want them to see. This is referenced in the Database Programming manual under the Securing a Database chapter and the section Using Data Authorities to Grant Users Access to Physical and Logical Files.
o	Use SQL Row Column Access Control at R720+.

For example, a department manager must be authorized to rate information for his employees but not for all of the employees in the company. The department employee needs access to the data in the file with the exception of the rate field. The company president needs access to the rates for every employee.

Field level security could be implemented using the following logical files:

1.	Logical A does not include the rate, and all employees are authorized to this logical file.
2.	Logical B includes the rate only for employees in a select department. The department manager is authorized.
3.	Logical C includes the rate and is authorized to the company president.

Note that if object operational authority (*OBJOPR) is not granted to a user for a file, the user cannot open the file. The physical file should not have *OBJOPR authority for the users who have access only through a logical file. For further information, refer to Execute Authority in the Database Programming manual in the Secure a Database section.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

6501248

Was this topic helpful?

Document Information

Modified date:
18 December 2019

UID

nas8N1010702

Tips