|
In this section: |
The ACCESS attribute specifies what sort of access a user is granted. Every security declaration, except the DBA declaration, must have a USER attribute and an ACCESS attribute.
The following is a complete security declaration, consisting of a USER attribute and an ACCESS attribute.
USER=TOM, ACCESS=RW,$
This declaration gives Tom read and write (for adding new segment instances) access to the data source.
You can assign the ACCESS attribute one of four values. These are:
ACCESS=R |
Read-only |
ACCESS=W |
Write only |
ACCESS=RW |
Read the data source and write new segment instances |
ACCESS=U |
Update only |
Access levels affect what kind of commands a user can issue. Before you decide what access levels to assign to a user, consider what commands that user will need. If a user does not have sufficient access rights to use a given command, the following message appears:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: filename
ACCESS levels determine what a user can do to the data source. Use the RESTRICT attribute (discussed in Limiting Data Source Access: The RESTRICT Attribute) to limit the fields, values, or segments to which a user has access. Every USER attribute must be assigned an ACCESS attribute. The RESTRICT attribute is optional. Without it, the user has unlimited access to fields and segments within the data source.
|
In this section: |
|
Reference: |
The type of access granting use of various FOCUS commands is shown in the following table. When more than one type of access is shown, any type of access marked will allow the user at least some use of that command. Often, however, the user will be able to use the command in different ways, depending on the type of access granted.
|
Command |
R |
W |
RW |
U |
DBA |
|---|---|---|---|---|---|
|
CHECK |
X |
X |
X |
X |
X |
|
CREATE |
|
|
X |
|
X |
|
DECRYPT |
|
|
|
|
X |
|
DEFINE |
X |
X |
|
X |
|
|
ENCRYPT |
|
|
|
|
X |
|
FSCAN |
|
X |
X |
X |
X |
|
HLI |
|
|
X |
|
X |
|
MAINTAIN |
|
X |
X |
X |
X |
|
MATCH |
X |
|
X |
|
X |
|
MODIFY |
|
X |
X |
X |
X |
|
REBUILD |
|
|
X |
|
X |
|
RESTRICT |
|
|
|
|
X |
|
SCAN |
|
|
X |
X |
X |
|
TABLE |
X |
|
X |
|
X |
Users without the DBA password or read/write access are allowed limited access to the CHECK command. However, when the HOLD option is specified, the warning ACCESS LIMITED BY PASSWORD is produced, and restricted fields are propagated to the HOLD file depending on the DBA RESTRICT attribute. Refer to Limiting Data Source Access: The RESTRICT Attribute for more information on the RESTRICT attribute.
The RESTRICT attribute keywords affect the resulting HOLD file created by the CHECK command as follows:
Fields named with the NAME parameter are not included in the HOLD file.
The segments named with the NAME parameter are included, but fields in those segments are not.
The behavior is the same as for the user named in the NAME parameter.
Fields named in the NAME or SEGNAME parameter are included since the user can reference these.
Fields named in the VALUE parameter are included since the user can reference these.
Note: RESTRICT=PROGRAM has no effect on CHECK FILE HOLD.
If you issue the CHECK command with the PICTURE option, the RESTRICT attribute keywords affect the resulting picture as follows:
Fields named with the NAME parameter are not included in the picture.
The boxes appear for segments named with the NAME parameter, but fields in those segments do not.
The behavior is the same as for the user named in the NAME parameter.
This option has no effect on the picture.
This option has no effect on the picture.
Only users with the DBA password or read/write (RW) access rights can issue a CREATE command.
Only users with the DBA password can issue a DECRYPT command.
Any attempt to decrypt a Master File that contains DBA when MASTER=OLD generates the following message:
(FOC209) THE DATA VALUE EXCEEDS ITS LENGTH SPECIFICATION
As with all reporting commands, a user need only have an access of R (read only) to use the DEFINE command. An access of R permits the user to read records from the data source and prepare reports from them. The only users who cannot use the DEFINE command are those whose access is W (write only) or U (update only).
Only users with the DBA password can use the ENCRYPT command.
In order to have use of the Host Language Interface, a user must have read/write (RW) access. With ACCESS=RW, FIELD and SEGMENT restrictions are active, but VALUE restrictions are not. (See Limiting Data Source Access: The RESTRICT Attribute for information on these restrictions.)
The password is placed in the File Control Block (FCB), words 19 and 20 (byte 73 to 80).
Users with ACCESS=W, RW, or U can use the MODIFY or MAINTAIN command. In MODIFY or MAINTAIN, access of U does not allow the user to use the INCLUDE and DELETE actions; only UPDATE operations are permitted. Both ACCESS=RW and ACCESS=W allow full use of all the MODIFY or MAINTAIN features. New instances of data may be added to a data source and old ones deleted; existing values may be updated.
Users with ACCESS=R (read only) can use the MAINTAIN command to retrieve information from the data source. Users with read-only access cannot use the MODIFY command.
Only users with the DBA password or read/write (RW) access rights can issue the REBUILD command. This command is only for FOCUS data sources.
Only users with the DBA password may use the RESTRICT command.
Users with ACCESS=RW have unlimited access to the data source, except for any restrictions imposed by the RESTRICT or NAME attributes. Users with ACCESS=U can display the entire data source, except for any restrictions imposed by the RESTRICT or NAME attributes; however, users with ACCESS=U cannot input or delete instances and can update non-key fields only. Users whose access to any portion of the data source is limited to ACCESS=R cannot use FSCAN.
FSCAN honors DBA security restrictions on segments and fields; it prohibits display of those segments and fields from which the user is restricted. FSCAN does not honor DBA field value restrictions and will display all field values regardless of the user.
If the user has no access to a key field in the root segment, that user is blocked from using FSCAN on the data source. If the user has no access to a segment, that segment is not listed on the menu that appears when the user enters the CHILD command.
The rules for accessing a data source are the same as for FSCAN except that, in addition, users with ACCESS=W cannot use SCAN.
A user who has access of R or RW may use the TABLE command. Users with access of W or U may not.