I found that even if the calling party is given restricted user authentication, they can bypass IFS built-in security mechanism by “impersonating” IFSAPP user:
The caller is given restricted authentication (jasahu/<pwd>) and that user has no permissions for the underlying DB objects.
But the caller adds the purple line, with IFSAPP as directory id, the security is bypassed and they call what they in theory do not have permission for.
Is there a solution to this, so that they cannot call which they are not granted?
