Placing Security Information in a Central Master File

In this section:

How to:

The DBAFILE attribute enables you to place all passwords and restrictions for multiple Master Files in one central file. Each individual Master File points to this central control file. Groups of Master Files with the same DBA password may share a common DBAFILE which itself has the same DBA password.

There are several benefits to this technique, including:

The central DBAFILE is a standard Master File. Other Master Files can use the password and security restrictions listed in the central file by specifying its file name with the DBAFILE attribute.

Note:

Syntax: How to Place Security Attributes in a Central Master File

END
DBA=dbaname, DBAFILE=filename ,$

where:

dbaname

Is the same as the dbaname in the central file.

filename

Is the name of the central file.

You can specify passwords and restrictions in a DBAFILE that apply to every Master File that points to that DBAFILE. You can also include passwords and restrictions for specific Master Files by including FILENAME attributes in the DBAFILE.

Example: Placing Security Attributes in a Central Master File

The following example shows a group of Master Files that share a common DBAFILE named FOUR:

ONE MASTER
FILENAME=ONE
  .
  .
END
DBA=ABC, DBAFILE=FOUR,$
TWO MASTER
FILENAME=TWO
  .
  .
END
DBA=ABC, DBAFILE=FOUR,$
THREE MASTER
FILENAME=THREE
  .
  .
END
DBA=ABC,
DBAFILE=FOUR,$
FOUR MASTER
FILENAME=FOUR,$
SEGNAME=mmmmm,$
FIELDNAME=fffff,$
END
DBA=ABC,$
   PASS=BILL,ACCESS=R,$
   PASS=JOE,ACCESS=R,$
FILENAME=TWO,$
   PASS=HARRY,ACCESS=RW,$
FILENAME=THREE,$
   PASS=JOE,ACCESS=R,RESTRICT=...,$
   PASS=TOM,ACCESS=R,$

Example: Using DBAFILE With a Join Structure

The following request joins the TRAINING data source to the EMPDATA and COURSE data sources, and then issues a request against the joined structure:

JOIN CLEAR *
JOIN COURSECODE IN TRAINING TO COURSECODE IN COURSE AS J1
JOIN PIN IN TRAINING TO PIN IN EMPDATA AS J2
TABLE FILE TRAINING
PRINT COURSECODE AS 'CODE' CTITLE
   LOCATION AS 'LOC'
BY LASTNAME
WHERE COURSECODE NE '   '
WHERE LOCATION EQ 'CA' OR LOCATION LIKE 'N%'
END

When the Master Files do not have DBA attributes, the output is:

LASTNAME         CODE     CTITLE                               LOC
--------         ----     ------                               ---
ADAMS            EDP750   STRATEGIC MARKETING PLANNING         NJ 
CASTALANETTA     EDP130   STRUCTURED SYS ANALYSIS WKSHP        NY 
                 AMA130   HOW TO WRITE USERS MANUAL            CA 
CHISOLM          EDP690   APPLIED METHODS IN MKTG RESEARCH     NJ 
FERNSTEIN        MC90     MANAGING DISTRIBUTOR SALE NETWORK    NY 
GORDON           SFC280   FUND OF ACCTG FOR SECRETARIES        NY 
LASTRA           MC90     MANAGING DISTRIBUTOR SALE NETWORK    NY 
MARTIN           EDP130   STRUCTURED SYS ANALYSIS WKSHP        CA 
MEDINA           EDP690   APPLIED METHODS IN MKTG RESEARCH     NJ 
OLSON            PU168    FUNDAMNETALS OF MKTG COMMUNICATIONS  NY 
RUSSO            PU168    FUNDAMNETALS OF MKTG COMMUNICATIONS  NY 
SO               BIT420   EXECUTIVE COMMUNICATION              CA 
WANG             PU440    GAINING COMPETITIVE ADVANTAGE        NY 
WHITE            BIT420   EXECUTIVE COMMUNICATION              CA

The EMPDATA Master File will be the central DBAFILE for the request. Add the following DBA attributes to the bottom of the EMPDATA Master File:

END                       
DBA=DBA1,$                
USER = EUSER, ACCESS = R,$
FILENAME = COURSE         
USER = CUSER2, ACCESS=RW,$

With these DBA attributes, user EUSER will have read access to all files that use EMPDATA as their DBAFILE. User CUSER2 will have read/write access to the COURSE data source.

Add the following security attributes to the bottom of the COURSE Master File. These attributes makes the EMPDATA Master File the central file that contains the security attributes to use for access to the COURSE data source and it sets the DBA attribute to the same value as the DBA attribute in the EMPDATA Master File:

END                         
DBA = DBA1, DBAFILE=EMPDATA,$

Add the following security attributes to the bottom of the TRAINING Master File. These attributes makes the EMPDATA Master File the central file that contains the security attributes to use for access to the TRAINING data source and it sets the DBA attribute to the same value as the DBA attribute in the EMPDATA Master File:

END                         
DBA = DBA1, DBAFILE=EMPDATA,$

Now, in order to run a request against the JOIN structure, there must be a current user password with read access in effect for each file in the JOIN. Issue the following SET PASS command and run the request:

SET PASS = EUSER

or

SET PASS = EUSER IN *

The request runs and produces output because EUSER is a valid user in each of the files in the join.

Since the EMPDATA Master File identifies CUSER2 as a valid user for the COURSE Master File, you can also run the request with the following SET PASS command:

SET USER = EUSER IN EMPDATA, EUSER IN TRAINING, CUSER2 IN COURSE

Issuing a SET PASS command that does not specify a valid password for each file in the JOIN structure produces one of the following messages, and the request does not run:

(FOC052) THE USER DOES NOT HAVE ACCESS TO THE FIELD: fieldname
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: filename

File Naming Requirements for DBAFILE

When a DBAFILE includes a FILENAME attribute for a specific Master File, the FILENAME attribute in the referencing Master File must be the same as the FILENAME attribute in the DBA section of the DBAFILE. This prevents users from renaming a Master File to a name unknown by the DBAFILE.

Example: DBAFILE Naming Conventions

ONE MASTER
FILENAME=XONE
  .
  .
  .
END
DBA=ABC, DBAFILE=FOUR,$
 
 
FOUR MASTER
FILENAME=XFOUR
  .
  .
  .
END
DBA=ABC,$
  .
  .
  .
FILENAME=XONE,$
  .
  .
  .

ONE MASTER is referred to in requests as TABLE FILE ONE. However, both ONE MASTER and the DBA section of the DBAFILE, FOUR MASTER, specify FILENAME=XONE.

For security reasons, the FILENAME attribute in the Master File containing the DBAFILE information should not be the same as the name of that Master File. Note that in Master File FOUR, the FILENAME attribute specifies the name XFOUR.

Connection to an Existing DBA System With DBAFILE

If there is no mention of the new attribute, DBAFILE, there will be no change in the characteristics of an existing system. In the current system, when a series of data sources is JOINed, the first data source in the list is the controlling data source. Its passwords are the only ones examined. For a COMBINE, only the last data source passwords take effect. All data sources must have the same DBA password.

In the new system, the DBA sections of all data sources in a JOIN or COMBINE are examined. If DBAFILE is included in a Master File, then its passwords and restrictions are read. To make the DBA section of a data source active in a JOIN list or COMBINE, specify DBAFILE for that data source.

After you start to use the new system, convert all of your Master Files. For Database Administrators who want to convert existing systems but do not want a separate physical DBAFILE, the DBAFILE attribute can specify the data source itself.

Example: Connecting to an Existing DBA System With DBAFILE

FILENAME=SEVEN,
  SEGNAME=..
    FIELDNAME=...
     .
     .
     .
END
DBA=ABC,DBAFILE=SEVEN,$    (OR DBAFILE= ,$)
 PASS=...
 PASS=...

Combining Applications With DBAFILE

Since each data source now contributes its own restrictions, you can JOIN and COMBINE data sources that come from different applications and have different user passwords. The only requirement is a valid password for each data source. You can therefore grant access rights for one application to an application under the control of a different DBA by assigning a password in your system.

You can assign screening conditions to a data source that are automatically applied to any report request that accesses the data source. See the Creating Reports manual for details.