> -----Original Message-----
> From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
> Behalf Of Robert Grimes
> Then I added the full qualification for the db ... Base-name pic
> x(24) value "  basedb.group.account;".  Now I get a security
> violation.
[...]

Since the database access is now "cross account", you need to allow MPE
access to the database.  This is done via DBUTIL's RELEASE command.  While
in general RELEASING files is "a bad thing (tm)" because anyone can then
read or WRITE to them, releasing databases isn't quite as problematic -- the
files still have negative file codes [so only PRIV mode routines can open
them] and access to the data is still controlled via the DB-specific ACL's
[image user "levels" and passwords]

If you're paranoid, however, you still have an option or two -- set up a
socket-based application that updates the database [advantage: database
stays "open", thus avoiding lengthy startup times; disadvantage: you now
have to "trust" the IP source]  This "socket" based application can log on
where it has proper MPE access to the database; your cobol CGI app would
then open a socket to this application and pass the neccessary data.  If
sockets aren't your cup of tea, consider good old MPE "message" files  [the
MPE equivalent to unix "pipe" sockets]

Alternatively, I think you can apply regular MPE ACL's to the database files
themselves [note: haven't tried this; it hasn't come up in any production
scenarios I've worked with...]  This would allow your "apache" user to
access the database stored in your .PROD group/account

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *