Implementing Data Source Security

In this section:

Reference:

You provide FOCUS security on a file-by-file basis. Implementing DBA security features is a straightforward process in which you specify:

The declarations (called security declarations) follow the END command in a Master File and tell FOCUS that security is needed for the data source and what type of security is needed. Each security declaration consists of one or several of the following attributes:

Describe your data source security by specifying values for these attributes in a comma-delimited format, just as you specify any other attribute in the Master File.

The word END on a line by itself in the Master File terminates the segment and field attributes and indicates that the access limits follow. If you place the word END in a Master File, it must be followed by at least a DBA attribute.


Top of page

Example: Implementing Data Source Security in a Master File

The following is a Master File that uses security features:

FILENAME = PERS, SUFFIX = FOC,$
SEGMENT = IDSEG, SEGTYPE = S1,$
 FIELD = SSN          ,ALIAS = SSN    ,FORMAT = A9   ,$
 FIELD = FULLNAME     ,ALIAS = FNAME  ,FORMAT = A40  ,$
 FIELD = DIVISION     ,ALIAS = DIV    ,FORMAT = A8   ,$
SEGMENT=COMPSEG, PARENT=IDSEG, SEGTYPE=S1,$
 FIELD = SALARY       ,ALIAS = SAL    ,FORMAT = D8   ,$
 FIELD = DATE         ,ALIAS = DATE   ,FORMAT = YMD  ,$
 FIELD = INCREASE     ,ALIAS = INC    ,FORMAT = D6   ,$
END
DBA=JONES76,$
USER=TOM    ,ACCESS=RW, $
USER=BILL   ,ACCESS=R  ,RESTRICT=SEGMENT  ,NAME=COMPSEG    ,$
USER=JOHN   ,ACCESS=R  ,RESTRICT=FIELD    ,NAME=SALARY     ,$
                                           NAME=INCREASE   ,$
USER=LARRY  ,ACCESS=U  ,RESTRICT=FIELD    ,NAME=SALARY     ,$
USER=TONY   ,ACCESS=R  ,RESTRICT=VALUE    ,NAME=IDSEG,
   VALUE=DIVISION EQ 'WEST' ,$
USER=MARY   ,ACCESS=W  ,RESTRICT=VALUE    ,NAME=SALTEST,
   VALUE=INCREASE+SALARY GE SALARY,$
                                           NAME=HISTTEST,
   VALUE=DIV NE ' ' AND DATE GT 0,$

Top of page

x
Reference: Special Considerations for Data Source Security

Top of page

x
Identifying the DBA: The DBA Attribute

How to:

The first security attribute should be a password that identifies the Database Administrator. This password can be up to 64 characters long and is not case sensitive. It can include special characters. If the DBA password contains blanks, it must be enclosed in single quotation marks. Since nothing else is needed, this line is terminated by the usual delimiter (,$).

Note:



Example: Identifying the DBA Using the DBA Attribute
DBA=JONES76,$


x
Procedure: How to Change a DBA Password

The DBA has the freedom to change any of the security attributes. If you change the DBA password in the Master File for an existing FOCUS data source, you must use the RESTRICT command to store the changed DBA password in each FOCUS data source affected by the change. Unless this is done, FOCUS assumes that the new description is an attempt to bypass the restriction rules. You use the following procedure for each data source affected:

  1. Edit the Master File, changing the DBA value from old to new.
  2. Issue the command:
    SET PASS=old_DBA_password
  3. Issue the command:
    RESTRICT 
    mastername 
    END
  4. Issue the command:
    SET PASS=new_DBA_password

Top of page

x
Including the DBA Attribute in a HOLD File

With the SET HOLDSTAT command, you can identify a data source containing DBA information and comments to be automatically included in HOLD and PCHOLD Master Files. For more information about the SET HOLDSTAT command, see the Developing Applications manual.

The data source must be a member in the PDS allocated to ddname MASTER or ERRORS. MASTER takes precedence over ERRORS.

The Information Builders-supplied file is named HOLDSTAT; user-specified HOLDSTAT files can have any valid file name.

The HOLDSTAT file must contain a dollar sign ($) in column 1. The keyword $BOTTOM in the file indicates there is DBA information to be added.

The following sample HOLDSTAT is included with FOCUS:

$===============================================================$
$     HOLD file created on &DATE at &TOD by FOCUS &FOCREL       $
$             Database records retrieved= &RECORDS              $
$             Records in the HOLD file = &LINES                 $
$===============================================================$

To include DBA information in HOLD Master Files, use the following syntax at the bottom of the HOLDSTAT file:

$BOTTOM
END
DBA=...

Note: User-defined variables may not be included in the comments portion of the HOLDSTAT file. Other DBA attributes can be included in the HOLDSTAT file as system variables.

All lines from the HOLDSTAT file that appear prior to $BOTTOM are placed at the top of the HOLD Master File, before any file and field declarations. All lines that appear after $BOTTOM are appended to the bottom of the HOLD Master File. Any Dialogue Manager variables are replaced with the actual variable values.



Example: Including a Comment in a HOLD Master File

The following example illustrates the use of HOLDSTAT. The TABLE request is:

SET HOLDSTAT = ON
TABLE FILE EMPLOYEE
PRINT LAST_NAME FIRST_NAME SALARY
BY EID
ON TABLE HOLD
END

It produces the HOLD Master File:

$================================================================$
$    HOLD file created on 2003/05/20 at 17.58.10 by FOCUS 7.3    $
$            Database records retrieved=       19                $
$            Records in the HOLD file =        19                $
$================================================================$
FILE = HOLD   ,SUFFIX = FIX
SEGNAME = HOLD, SEGTYPE = S01
FIELDNAME = EMP_ID             ,E01         ,A9       ,A12      ,$
FIELDNAME = LAST_NAME          ,E02         ,A15      ,A16      ,$
FIELDNAME = FIRST_NAME         ,E03         ,A10      ,A12      ,$
FIELDNAME = SALARY             ,E04         ,D12.2M   ,D08      ,$


Example: Including DBA Attributes in a HOLD Master File

The next example illustrates the use of a user-specified file containing DBA information. The HOLD Master File that is generated contains DBA information from the file name specified in the SET HOLDSTAT command. The HOLDDBA Master File is:

$===============================================================$
$     HOLD file created on &DATE at &TOD by FOCUS &FOCREL       $
$             Database records retrieved= &RECORDS              $
$             Records in the HOLD file = &LINES                 $
$===============================================================$
$BOTTOM
END
DBA=MARY,$

The following TABLE request uses the HOLDDBA Master File:

SET HOLDSTAT = HOLDDBA
TABLE FILE EMPLOYEE
PRINT LAST_NAME FIRST_NAME SALARY
BY EID
ON TABLE HOLD
END

The HOLD Master File that results is:

$===============================================================$
$    HOLD file created on 2003/05/20 at 17.58.10 by FOCUS 7.3   $
$             Database records retrieved=       19              $
$             Records in the HOLD file =        19              $
$===============================================================$
FILE = HOLD ,SUFFIX = FIX
SEGNAME = HOLD, SEGTYPE = S01
FIELDNAME = EMP_ID            ,E01         ,A9       ,A12     ,$
FIELDNAME = LAST_NAME         ,E02         ,A15      ,A16     ,$
FIELDNAME = FIRST_NAME        ,E03         ,A10      ,A12     ,$
FIELDNAME = SALARY            ,E04         ,D12.2M   ,D08     ,$
END
DBA=MARY,$

Top of page

x
Identifying Users With Access Rights: The USER Attribute

How to:

The USER attribute is a password that identifies the users who have legitimate access to the data source. A USER attribute cannot be specified alone. It must be followed by at least one ACCESS restriction (discussed in Specifying an Access Type: The ACCESS Attribute) to specify what sort of ACCESS the user is granted.

Before using a secured data source, a user must enter the password using the SET PASS or SET USER command. If that password is not included in the Master File, the user is denied access to the data source. When the user does not have a password or has one that is inadequate for the type of access requested, the following message appears:

(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:  
filename


x
Syntax: How to Set the USER Attribute

Any user whose name or password is not declared in the Master File is denied access to that data source. The syntax of the USER attribute is

USER = name

where:

name

Is a password of up to 64 characters for the user. The password can include special characters and is not case sensitive. If the password contains blanks, it must be enclosed in single quotation marks.

You can specify a blank password (default value if not previously changed). Such a password does not require the user to issue a SET PASS= command. A blank password may still have access limits and is convenient when a number of users have the same access rights.



Example: Setting the USER Attribute
USER=TOM,...

An example of setting a user password to blank, and access to read only follows:

USER= , ACCESS=R,$

Top of page

x
Non-Overridable User Passwords (SET PERMPASS)

How to:

Reference:

The PERMPASS parameter establishes a user password that remains in effect throughout a session or connection. You can issue this setting in any supported profile but is most useful when established for an individual user by setting it in a user profile. It cannot be set in an ON TABLE phrase. It is recommended that it not be set in FOCPARM or FOCPROF because it would then apply to all users. In a FOCUS session, SET PERMPASS can be issued in PROFILE, a FOCEXEC, or at the command prompt.

All security rules established in the DBA sections of existing Master Files are respected when PERMPASS is in effect. The user cannot issue the SET PASS or SET USER command to change to a user password with different security rules. Any attempt to do so generates the following message:

permanent PASS is in effect. Your PASS will not be honored.
VALUE WAS NOT CHANGED

Only one permanent password can be established in a session. Once it is set, it cannot be changed within the session.



x
Syntax: How to Set a Non-Overridable User Password
SET PERMPASS=userpass

where:

userpass

Is the user password used for all access to data sources with DBA security rules established in their associated Master Files.



Example: Setting a Non-Overridable User Password

Consider the MOVIES Master File with the following DBA rules in effect:

DBA=USER1,$
USER = USERR,  ACCESS = R ,$
USER = USERU,  ACCESS = U ,$
USER = USERW,  ACCESS = W ,$
USER = USERRW, ACCESS = RW,$

The following FOCEXEC sets a permanent password:

SET PERMPASS = USERU
TABLE FILE MOVIES 
PRINT TITLE BY DIRECTOR
END

The user has ACCESS=U and, therefore, is not allowed to issue a table request against the file:

(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:
CAR
BYPASSING TO END OF COMMAND

The permanent password cannot be changed:

SET PERMPASS = USERRW
permanent PASS is in effect. Your PASS will not be honored.
VALUE WAS NOT CHANGED

The user password cannot be changed:

SET PASS = USERRW
permanent PASS is in effect. Your PASS will not be honored.
VALUE WAS NOT CHANGED


x
Reference: Usage Notes for Non-Overridable User Passwords

Top of page

x
Controlling Case Sensitivity of Passwords

How to:

When a DBA or user issues the SET USER, SET PERMPASS or SET PASS command, this user ID is validated before they are given access to any data source whose Master File has DBA attributes. The password is also checked when encrypting or decrypting a FOCEXEC.

The SET DBACSENSITIV command determines whether the password is converted to uppercase prior to validation.



x
Syntax: How to Control Password Case Sensitivity
SET DBACSENSITIV = {ON|OFF}

where:

ON

Does not convert passwords to uppercase. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are case sensitive.

OFF

Converts passwords to uppercase prior to validation. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are not case sensitive. OFF is the default value.



Example: Controlling Password Case Sensitivity

Consider the following DBA declaraion added to the EMPLOYEE Master File:

USER = User2, ACCESS = RW,$

User2 wants to report from the EMPLOYEE data source and issues the following command:

SET USER = USER2

With DBACSENSITIV OFF, User2 can run the request even though the case of the password entered does not match the case of the password in the Master File.

With DBACSENSITIV ON, User2 gets the following message:

(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:

With DBACSENSITIV ON, the user must issue the following command:

SET USER = User2

Note: In FOCUS for Mainframe, all user input is transmitted in uppercase. Therefore, a mixed case password cannot be issued at the command line. It must be set in a FOCEXEC or profile.


Top of page

x
Establishing User Identity

How to:

A user must enter his or her password before using any FOCUS data source that has security specified for it. A single user may have different passwords in different files. For example, in file ONE, the rights of password BILL apply, but in file TWO, the rights of password LARRY apply. Use the SET PASS command to establish the passwords.



x
Syntax: How to Establish User Identity
SET {PASS|USER} = name [[IN {file|* [NOCLEAR]}], name [IN file] ...]

where:

name

Is the user name or password. If a character used in the password has a special meaning in your operating environment (for example, as an escape character), you can issue the SET USER command in a FOCEXEC and execute the FOCEXEC to set the password. If the password contains a blank, you do not have to enclose it in single quotation marks when issuing the SET USER command.

file

Is the name of the Master File to which the password applies.

*

Indicates that name replaces all passwords active in all files.

NOCLEAR

Provides a way to replace all passwords in the list of active passwords while retaining the list.



Example: Establishing User Identity

In the following example, the password TOM is in effect for all data sources that do not have a specific password designated for them:

SET PASS=TOM

For the next example, in file ONE the password is BILL, and in file TWO the password is LARRY. No other files have passwords set for them:

SET PASS=BILL IN ONE, LARRY IN TWO

Here, all files have password SALLY except files SIX and SEVEN, which have password DAVE.

SET PASS=SALLY, DAVE IN SIX
SET PASS=DAVE IN SEVEN

The password is MARY in file FIVE and FRANK in all other files:

SET PASS=MARY IN FIVE,FRANK

A list of the files for which a user has set specific passwords is maintained. To see the list of files, issue:

? PASS

When the user sets a password IN * (all files), the list of active passwords collapses to one entry with no associated file name. To retain the file name list, use the NOCLEAR option.

In the next example, the password KEN replaces all passwords active in all files, and the table of active passwords is folded to one entry:

SET PASS=KEN IN *

In the following, MARY replaces all passwords in the existing table of active passwords (which consists of files NINE and TEN) but FRANK is the password for all other files. The option NOCLEAR provides a shorthand way to replace all passwords in a specific list:

SET PASS=BILL IN NINE,TOM IN TEN
SET PASS=MARY IN * NOCLEAR,FRANK

Note: The FIND function does not work with COMBINEd data sources secured with different passwords.

Users must issue passwords using the SET PASS command during each session in which they use a secured data source. They may issue passwords at any time before using the data source and can issue a different password afterward to access another data source.


Information Builders