In this section: |
Reference: |
You provide FOCUS security on a file-by-file basis. Implementing DBA security features is a straightforward process in which you specify:
The declarations (called security declarations) follow the END command in a Master File and tell FOCUS that security is needed for the data source and what type of security is needed. Each security declaration consists of one or several of the following attributes:
RW, which allows a user to both read and write to a data source.
R, which allows a user only to read data in a data source.
W, which allows a user to only write new segment instances to a data source.
U, which allows a user only to update records in a data source.
Describe your data source security by specifying values for these attributes in a comma-delimited format, just as you specify any other attribute in the Master File.
The word END on a line by itself in the Master File terminates the segment and field attributes and indicates that the access limits follow. If you place the word END in a Master File, it must be followed by at least a DBA attribute.
The following is a Master File that uses security features:
FILENAME = PERS, SUFFIX = FOC,$ SEGMENT = IDSEG, SEGTYPE = S1,$ FIELD = SSN ,ALIAS = SSN ,FORMAT = A9 ,$ FIELD = FULLNAME ,ALIAS = FNAME ,FORMAT = A40 ,$ FIELD = DIVISION ,ALIAS = DIV ,FORMAT = A8 ,$ SEGMENT=COMPSEG, PARENT=IDSEG, SEGTYPE=S1,$ FIELD = SALARY ,ALIAS = SAL ,FORMAT = D8 ,$ FIELD = DATE ,ALIAS = DATE ,FORMAT = YMD ,$ FIELD = INCREASE ,ALIAS = INC ,FORMAT = D6 ,$ END DBA=JONES76,$ USER=TOM ,ACCESS=RW, $ USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG ,$ USER=JOHN ,ACCESS=R ,RESTRICT=FIELD ,NAME=SALARY ,$ NAME=INCREASE ,$ USER=LARRY ,ACCESS=U ,RESTRICT=FIELD ,NAME=SALARY ,$ USER=TONY ,ACCESS=R ,RESTRICT=VALUE ,NAME=IDSEG, VALUE=DIVISION EQ 'WEST' ,$ USER=MARY ,ACCESS=W ,RESTRICT=VALUE ,NAME=SALTEST, VALUE=INCREASE+SALARY GE SALARY,$ NAME=HISTTEST, VALUE=DIV NE ' ' AND DATE GT 0,$
How to: |
The first security attribute should be a password that identifies the Database Administrator. This password can be up to 64 characters long and is not case-sensitive. It can include special characters. If the DBA password contains blanks, it must be enclosed in single quotation marks. Since nothing else is needed, this line is terminated by the usual delimiter (,$).
Note:
DBA=JONES76,$
The DBA has the freedom to change any of the security attributes. If you change the DBA password in the Master File for an existing FOCUS data source, you must use the RESTRICT command to store the changed DBA password in each FOCUS data source affected by the change. Unless this is done, FOCUS assumes that the new description is an attempt to bypass the restriction rules. You use the following procedure for each data source affected:
SET PASS=old_DBA_password
RESTRICT mastername END
SET PASS=new_DBA_password
With the SET HOLDSTAT command, you can identify a data source containing DBA information and comments to be automatically included in HOLD and PCHOLD Master Files. For more information about the SET HOLDSTAT command, see the Developing Applications manual.
The data source must be a member in the PDS allocated to ddname MASTER or ERRORS. MASTER takes precedence over ERRORS.
The Information Builders-supplied file is named HOLDSTAT; user-specified HOLDSTAT files can have any valid file name.
The HOLDSTAT file must contain a dollar sign ($) in column 1. The keyword $BOTTOM in the file indicates there is DBA information to be added.
The following sample HOLDSTAT is included with FOCUS:
$===============================================================$ $ HOLD file created on &DATE at &TOD by FOCUS &FOCREL $ $ Database records retrieved= &RECORDS $ $ Records in the HOLD file = &LINES $ $===============================================================$
To include DBA information in HOLD Master Files, use the following syntax at the bottom of the HOLDSTAT file:
$BOTTOM END DBA=...
Note: User-defined variables may not be included in the comments portion of the HOLDSTAT file. Other DBA attributes can be included in the HOLDSTAT file as system variables.
All lines from the HOLDSTAT file that appear prior to $BOTTOM are placed at the top of the HOLD Master File, before any file and field declarations. All lines that appear after $BOTTOM are appended to the bottom of the HOLD Master File. Any Dialogue Manager variables are replaced with the actual variable values.
The following example illustrates the use of HOLDSTAT. The TABLE request is:
SET HOLDSTAT = ON TABLE FILE EMPLOYEE PRINT LAST_NAME FIRST_NAME SALARY BY EID ON TABLE HOLD END
It produces the HOLD Master File:
$================================================================$ $ HOLD file created on 2003/05/20 at 17.58.10 by FOCUS 7.3 $ $ Database records retrieved= 19 $ $ Records in the HOLD file = 19 $ $================================================================$ FILE = HOLD ,SUFFIX = FIX SEGNAME = HOLD, SEGTYPE = S01 FIELDNAME = EMP_ID ,E01 ,A9 ,A12 ,$ FIELDNAME = LAST_NAME ,E02 ,A15 ,A16 ,$ FIELDNAME = FIRST_NAME ,E03 ,A10 ,A12 ,$ FIELDNAME = SALARY ,E04 ,D12.2M ,D08 ,$
The next example illustrates the use of a user-specified file containing DBA information. The HOLD Master File that is generated contains DBA information from the file name specified in the SET HOLDSTAT command. The HOLDDBA Master File is:
$===============================================================$ $ HOLD file created on &DATE at &TOD by FOCUS &FOCREL $ $ Database records retrieved= &RECORDS $ $ Records in the HOLD file = &LINES $ $===============================================================$ $BOTTOM END DBA=MARY,$
The following TABLE request uses the HOLDDBA Master File:
SET HOLDSTAT = HOLDDBA TABLE FILE EMPLOYEE PRINT LAST_NAME FIRST_NAME SALARY BY EID ON TABLE HOLD END
The HOLD Master File that results is:
$===============================================================$ $ HOLD file created on 2003/05/20 at 17.58.10 by FOCUS 7.3 $ $ Database records retrieved= 19 $ $ Records in the HOLD file = 19 $ $===============================================================$ FILE = HOLD ,SUFFIX = FIX SEGNAME = HOLD, SEGTYPE = S01 FIELDNAME = EMP_ID ,E01 ,A9 ,A12 ,$ FIELDNAME = LAST_NAME ,E02 ,A15 ,A16 ,$ FIELDNAME = FIRST_NAME ,E03 ,A10 ,A12 ,$ FIELDNAME = SALARY ,E04 ,D12.2M ,D08 ,$ END DBA=MARY,$
How to: |
The USER attribute is a password that identifies the users who have legitimate access to the data source. A USER attribute cannot be specified alone. It must be followed by at least one ACCESS restriction (discussed in Specifying an Access Type: The ACCESS Attribute) to specify what sort of ACCESS the user is granted.
Before using a secured data source, a user must enter the password using the SET PASS or SET USER command. If that password is not included in the Master File, the user is denied access to the data source. When the user does not have a password, or has one that is inadequate for the type of access requested, the following message appears:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: filename
Any user whose name or password is not declared in the Master File is denied access to that data source. The syntax of the USER attribute is
USER = name
where:
Is a password of up to 64 characters for the user. The password can include special characters and is not case-sensitive. If the password contains blanks, it must be enclosed in single quotation marks.
You can specify a blank password (default value if not previously changed). Such a password does not require the user to issue a SET PASS= command. A blank password may still have access limits and is convenient when a number of users have the same access rights.
USER=TOM,...
An example of setting a user password to blank, and access to read only follows:
USER= , ACCESS=R,$
How to: |
Reference: |
The PERMPASS parameter establishes a user password that remains in effect throughout a session or connection. You can issue this setting in any supported profile but is most useful when established for an individual user by setting it in a user profile. It cannot be set in an ON TABLE phrase. It is recommended that it not be set in FOCPARM or FOCPROF because it would then apply to all users. In a FOCUS session, SET PERMPASS can be issued in PROFILE, a FOCEXEC, or at the command prompt.
All security rules established in the DBA sections of existing Master Files are respected when PERMPASS is in effect. The user cannot issue the SET PASS or SET USER command to change to a user password with different security rules. Any attempt to do so generates the following message:
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
Note: Only one permanent password can be established in a session. Once it is set, it cannot be changed within the session.
SET PERMPASS=userpass
where:
Is the user password used for all access to data sources with DBA security rules established in their associated Master Files.
Consider the MOVIES Master File with the following DBA rules in effect:
DBA=USER1,$ USER = USERR, ACCESS = R ,$ USER = USERU, ACCESS = U ,$ USER = USERW, ACCESS = W ,$ USER = USERRW, ACCESS = RW,$
The following FOCEXEC sets a permanent password:
SET PERMPASS = USERU TABLE FILE MOVIES PRINT TITLE BY DIRECTOR END
The user has ACCESS=U and, therefore, is not allowed to issue a table request against the file:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: CAR BYPASSING TO END OF COMMAND
The permanent password cannot be changed:
SET PERMPASS = USERRW
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
The user password cannot be changed:
SET PASS = USERRW
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
Member PROFILE in the data set allocated to ddname MSOPROF. This profile is executed for all users.
Members with users' user IDs as names in the data set allocated to ddname MSOPROF. The profile is executed for the user corresponding to the user ID.
Member PROFILE in the data set allocated by a user to ddname FOCEXEC. This profile is executed for that specific user and is a standard FOCUS profile.
Member SHELPROF in the data set allocated to ddname FOCEXEC in the MSO startup JCL. This profile is executed for all users and is a standard FOCUS profile.
How to: |
When a DBA or user issues the SET USER, SET PERMPASS or SET PASS command, this user ID is validated before they are given access to any data source whose Master File has DBA attributes. The password is also checked when encrypting or decrypting a FOCEXEC.
The SET DBACSENSITIV command determines whether the password is converted to uppercase prior to validation.
SET DBACSENSITIV = {ON|OFF}
where:
Does not convert passwords to uppercase. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are case-sensitive.
Converts passwords to uppercase prior to validation. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are not case-sensitive. OFF is the default value.
Consider the following DBA declaration added to the EMPLOYEE Master File:
USER = User2, ACCESS = RW,$
User2 wants to report from the EMPLOYEE data source and issues the following command:
SET USER = USER2
With DBACSENSITIV OFF, User2 can run the request even though the case of the password entered does not match the case of the password in the Master File.
With DBACSENSITIV ON, User2 gets the following message:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:
With DBACSENSITIV ON, the user must issue the following command:
SET USER = User2
Note: In FOCUS for Mainframe, all user input is transmitted in uppercase. Therefore, a mixed case password cannot be issued at the command line. It must be set in a FOCEXEC or profile.
How to: |
A user must enter his or her password before using any FOCUS data source that has security specified for it. A single user may have different passwords in different files. For example, in file ONE, the rights of password BILL apply, but in file TWO, the rights of password LARRY apply. Use the SET PASS command to establish the passwords.
SET {PASS|USER} = name [[IN {file|* [NOCLEAR]}], name [IN file] ...]
where:
Is the user name or password. If a character used in the password has a special meaning in your operating environment (for example, as an escape character), you can issue the SET USER command in a FOCEXEC and execute the FOCEXEC to set the password. If the password contains a blank, you do not have to enclose it in single quotation marks when issuing the SET USER command.
Is the name of the Master File to which the password applies.
Indicates that name replaces all passwords active in all files.
Provides a way to replace all passwords in the list of active passwords while retaining the list.
In the following example, the password TOM is in effect for all data sources that do not have a specific password designated for them:
SET PASS=TOM
For the next example, in file ONE the password is BILL, and in file TWO the password is LARRY. No other files have passwords set for them:
SET PASS=BILL IN ONE, LARRY IN TWO
Here, all files have password SALLY except files SIX and SEVEN, which have password DAVE.
SET PASS=SALLY, DAVE IN SIX SET PASS=DAVE IN SEVEN
The password is MARY in file FIVE and FRANK in all other files:
SET PASS=MARY IN FIVE,FRANK
A list of the files for which a user has set specific passwords is maintained. To see the list of files, issue:
? PASS
When the user sets a password IN * (all files), the list of active passwords collapses to one entry with no associated file name. To retain the file name list, use the NOCLEAR option.
In the next example, the password KEN replaces all passwords active in all files, and the table of active passwords is folded to one entry:
SET PASS=KEN IN *
In the following, MARY replaces all passwords in the existing table of active passwords (which consists of files NINE and TEN) but FRANK is the password for all other files. The option NOCLEAR provides a shorthand way to replace all passwords in a specific list:
SET PASS=BILL IN NINE,TOM IN TEN SET PASS=MARY IN * NOCLEAR,FRANK
Note: The FIND function does not work with COMBINEd data sources secured with different passwords.
Users must issue passwords using the SET PASS command during each session in which they use a secured data source. They may issue passwords at any time before using the data source and can issue a different password afterward to access another data source.