FoleyE, thank you for your further input. I apologize for late reply, works can be often demanding as we all know...
Thankfully, we haven't got any serious situation as far as I know. But as we all know, a good security approach/model cannot be just based on assumptions that people will always behave well. We have hundreds of developers onshore and offshore, and contractors from different vendors with various levels of skills etc. We certainly need a more robust and comprehensive security approach to secure our 2E Models.
We're aware that this is a complex subject, and we may not find a good answer... But you've brought up a good feedback there, with that suggestion to experiment with IBM i features such as Adopted Authority and Authorization List.
Ultimately, we want to secure the Model at two levels (maybe...):
- At object level (ex: FILE, DTAARA, PGM). For example, people should not be able to delete or alter Synon model objects.
- At data level. For example, people should not be able to tamper with data in Synon internal files, or change DTAARA value, or updating any Synon data not using the sanctioned/official interfaces.
And maybe this whole security approach can be modeled after the 3 different Synon User Classes: *DSNR, *PGMR & *USER.
Assuming we know which objects to secure at which level, maybe some combination of those OS features can then be applied and experimented... Thanks again.