The declarations (called security declarations) follow the END command in a Master File and tell that security is needed for the data source and what type of security is needed. The word END on a line by itself in the Master File terminates the segment and field attributes and indicates that the access limits follow. If you place the word END in a Master File, it must be followed by at least a DBA attribute. Each security declaration consists of one or several of the following attributes:
RW, which allows a user to both read and write to a data source.
R, which allows a user only to read data in a data source.
W, which allows a user to only write new segment instances to a data source.
U, which allows a user only to update records in a data source.
Describe your data source security by specifying values for these attributes in a comma-delimited format, just as you specify any other attribute in the Master File.
The following is a Master File that uses security features:
FILENAME = PERS, SUFFIX = FOC,$ SEGMENT = IDSEG, SEGTYPE = S1,$ FIELD = SSN ,ALIAS = SSN ,FORMAT = A9 ,$ FIELD = FULLNAME ,ALIAS = FNAME ,FORMAT = A40 ,$ FIELD = DIVISION ,ALIAS = DIV ,FORMAT = A8 ,$ SEGMENT=COMPSEG, PARENT=IDSEG, SEGTYPE=S1,$ FIELD = SALARY ,ALIAS = SAL ,FORMAT = D8 ,$ FIELD = DATE ,ALIAS = DATE ,FORMAT = YMD ,$ FIELD = INCREASE ,ALIAS = INC ,FORMAT = D6 ,$ END DBA=JONES76,$ USER=TOM ,ACCESS=RW, $ USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG ,$ USER=JOHN ,ACCESS=R ,RESTRICT=FIELD ,NAME=SALARY ,$ NAME=INCREASE ,$ USER=LARRY ,ACCESS=U ,RESTRICT=FIELD ,NAME=SALARY ,$ USER=TONY ,ACCESS=R ,RESTRICT=VALUE ,NAME=IDSEG, VALUE=DIVISION EQ 'WEST' ,$ USER=MARY ,ACCESS=W ,RESTRICT=VALUE ,NAME=SALTEST, VALUE=INCREASE+SALARY GE SALARY,$ NAME=HISTTEST, VALUE=DIV NE ' ' AND DATE GT 0,$
The first security attribute should be a password that identifies the Database Administrator. This password can be up to 64 characters long and, by default, is not case-sensitive. It can include special characters. If the DBA password contains blanks, it must be enclosed in single quotation marks ('). Since nothing else is needed, this line is terminated by the usual delimiter (,$).
DBA=JONES76,$
How to: |
The USER attribute is a password that identifies the users who have access to the data source. A USER attribute cannot be specified alone. It must be followed by at least one ACCESS restriction (discussed in Specifying an Access Type: The ACCESS Attribute) to specify what sort of ACCESS the user is granted.
Before using a secured data source, a user must enter the password using the SET PASS or SET USER command. If that password is not included in the Master File, the user is denied access to the data source. When the user does not have a password, or has one that is inadequate for the type of access requested, a message appears.
Any user whose name or password is not declared in the Master File is denied access to that data source. The syntax of the USER attribute is
USER = name
where:
Is a password of up to 64 characters for the user. The password can include special characters and is not case-sensitive. If the password contains blanks, it must be enclosed in single quotation marks (').
You can specify a blank password (default value if not previously changed). Such a password does not require the user to issue a SET PASS= command. A blank password may still have access limits and is convenient when a number of users have the same access rights.
USER=TOM,...
An example of setting a user password to blank, and access to read only follows:
USER= , ACCESS=R,$
A user must enter his or her password before using any data source that has security specified for it. A single user may have different passwords in different files. For example, in file ONE, the rights of password BILL apply, but in file TWO, the rights of password LARRY apply. Use the SET PASS command to establish the passwords.
The ACCESS attribute specifies what sort of access a user is granted. Every security declaration, except the DBA declaration, must have a USER attribute and an ACCESS attribute.
The following is a complete security declaration, consisting of a USER attribute and an ACCESS attribute.
USER=TOM, ACCESS=RW,$
This declaration gives Tom read and write (for adding new segment instances) access to the data source.
Access levels affect what kind of commands a user can issue. Before you decide what access levels to assign to a user, consider what commands that user will need. If a user does not have sufficient access rights to use a given command, a message appears.
ACCESS levels determine what a user can do to the data source. Use the RESTRICT attribute (discussed in Limiting Data Source Access: The RESTRICT Attribute) to limit the fields, values, or segments to which a user has access. Every USER attribute must be assigned an ACCESS attribute. The RESTRICT attribute is optional. Without it, the user has unlimited access to fields and segments within the data source.
How to: |
The ACCESS attribute determines what a user can do with a data source.
The optional RESTRICT attribute further restricts a user access to certain fields, values, or segments.
The RESTRICT=VALUE attribute supports those criteria that are supported by the IF phrase. The RESTRICT=VALUE_WHERE attribute supports all criteria supported in a WHERE phrase, including comparison between fields and use of functions. The WHERE expression will be passed to a configured adapter when possible.
...RESTRICT=level, NAME={name|SYSTEM} [,VALUE=test],$
or
...RESTRICT=VALUE_WHERE, NAME=name, VALUE=expression; ,$
where:
Can be one of the following:
USER=MARY ,ACCESS=R ,RESTRICT=NOPRINT ,NAME=EMP_ID , VALUE=CURR_SAL LT 10000;,$
Is the name of the field or segment to restrict. When used after NOPRINT, this can only be a field name. NAME=SYSTEM, which can only be used with value tests, restricts every segment in the data source, including descendant segments. Multiple fields or segments can be specified by issuing the RESTRICT attribute several times for one user.
Note: With value restrictions, NAME=segment restricts the named segment and any segment lower in the hierarchy, whether or not an alternate file view changes the retrieval view. This means that if a parent segment has a value restriction, and a join or alternate file view makes a child segment the new root, the value restriction on the original parent will still apply to the new root.
Specifies that the user can have access to only those values that meet the test described in the test parameter.
Is the value test that the data must meet before the user can have access to it. The test is an expression supported in an IF phrase.
Specifies that the user can have access to only those values that meet the test described in the expression parameter.
Is the value test that the data must meet before the user can have access to it. The test is an expression supported in a WHERE phrase.
Note: The semicolon (;) is required.
USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG,$
How to: |
The DBAFILE attribute enables you to place all passwords and restrictions for multiple Master Files in one central file. Each individual Master File points to this central control file. Groups of Master Files with the same DBA password may share a common DBAFILE which itself has the same DBA password.
There are several benefits to this technique, including:
The central DBAFILE is a standard Master File. Other Master Files can use the password and security restrictions listed in the central file by specifying its file name with the DBAFILE attribute.
END DBA=dbaname, DBAFILE=filename ,$
where:
Is the same as the dbaname in the central file.
Is the name of the central file.
You can specify passwords and restrictions in a DBAFILE that apply to every Master File that points to that DBAFILE. You can also include passwords and restrictions for specific Master Files by including FILENAME attributes in the DBAFILE.
Topics: |
How to: |
Since the restriction information for a data source is stored in its Master File, encrypt the Master File in order to prevent users from examining the restriction rules. Only the Database Administrator can encrypt a description. You must set PASS=DBAname before you issue the ENCRYPT command.
ENCRYPT FILE filename
where:
Is the name of the file to be encrypted.
The following is an example of the complete procedure:
SET PASS=JONES76 ENCRYPT FILE PERS
The process can be reversed in order to change the restrictions. The command to restore the description to a readable form is DECRYPT.
The DBA password must be issued with the SET command before the file can be decrypted. For example:
SET PASS=JONES76 DECRYPT FILE PERS
You may also use the ENCRYPT parameter within the Master File to encrypt some or all of its segments.
Encryption takes place on the segment level. That is, the entire segment is encrypted. The request for encryption is made in the Master File by setting the attribute ENCRYPT to ON.
SEGMENT=COMPSEG, PARENT=IDSEG, SEGTYPE=S1, ENCRYPT=ON,$
You must specify the ENCRYPT parameter before entering any data in the data source. The message NEW FILE... must appear when the encryption is first requested. Encryption cannot be requested later by a change to the Master File and cannot be removed after it has been requested or any data has been entered in the data source.
WebFOCUS | |
Feedback |