DDM Security
Overview
DDM stands for Distributed Data Management and provides a simple means for accessing and updating data on a target IBMi system using programs running on a local IBMi system. MDCMS, for example, uses DDM for synchronizing Project and Workflow information as well as for tracking object migrations across systems.
If DDM is allowed to be used without sufficient security measures in place, then a significant risk exists that data could be read and manipulated by otherwise unauthorized persons. The DDM Security feature of MDSEC can be used to exclude unauthorized users as well as to manage which Data objects may be accessed or manipulated via DDM.
General Configuration
Option 5 from MDSEC Menu: DDM Security.
Configuration Options
DDM Filter
| Value | Description |
|---|---|
| 1 | The MDSEC DDM filter program is used as the exit point program for the DDM listener. (Network Attribute DDMACC = MDSEC/MDLDDMF) |
| 2 | No filtering is performed (Network Attribute DDMACC = *OBJAUT) |
| 3 | DDM completely blocked (Network Attribute DDMACC = *REJECT) |
| 4 | Another program is used as the exit point program for the DDM listener. Displayed for informational purposes only and cannot be selected. |
When option 1 (MDSEC DDM) is used, the following additional parameters are available:
Log DDM Usage
Y – DDM transactions will be logged to file MDSEC/SCDLOG.
N – DDM transactions will not be logged.
Include MDCMS in Log
Y – DDM transactions for files in MDCMS* or MDXREF* will be included in the log.
N – those transactions will not be included.
Allow Remote Commands
Y – Commands sent from a remote system via DDM are allowed.
N – Not allowed.
Allow DRDA (SQL)
Y – Remote SQL clients using Application Requester Driver (ARD) programs are allowed access to the local database.
N – Not allowed.
Function Keys
F3=Exit
Return to previous panel
F7=Data Filters
Manage the list of Database objects can be accessed using DDM.
Library
The name of a library on the local system.
Object
The name of an object within the library or *ALL to indicate the default allowed usage for any objects in the library that are not specifically defined in the list.
For example: ALIB/*ALL *UPDATE could be defined to allow updates to all data objects in library ALIB. A second entry of ALIB/AFILE *EXCLUDE could be defined to exclude file AFILE specifically.
Usage
| Value | Description |
|---|---|
*INPUT | a DDM transaction may only view the data. Updates are not allowed. |
*UPDATE | DDM transactions may view or update the data. |
*EXCLUDE | DDM transactions are not allowed. |
F9=User Filters
Manage the list of local User Profiles that may be used to connect to the Database using DDM
The user filters are checked to see if the locally utilized user profile may be used to connect to the database via DDM. By default, if the user is not defined in the list, then the transaction will be blocked.
User
The name of a user profile on the local system or *ALL to indicate that any user profile may be used.
F21=Sys Command