Restricting Access To a File

Copyright 2007, Information Builders. Slide 1

Restricting Access To a File

Walter BrengelJune, 2008


Restricting Access to a FileAGENDA

DBA What Is It? How To Implement? Limitations DBA File

FILTERs How They Differ From DBA How To Use Dynamic Filtering


Restricting Access to a FileWebFOCUS/FOCUS SECURITY

Any Data Source Can Be Protected For Reporting. Implemented With The DBA Attributes In MFD, And

SET PASS = PASSWORD. Coded In The Master File Description Or Focus Synonym (MFD).

FILENAME = PERS, SUFFIX = FILE TYPE,$

…

END

DBA=DBAVALUE,$

USER=USER ,ACCESS=ACCESS RIGHTS, $ Limits The Records That A User Can Read Or Update In A

File/Table. Can Be Used As The Only Security Or Supplement Existing

Security (Such As RACF).


Restricting Access to a FileWebFOCUS/FOCUS Security

DBA Security Specifies : The Password For The Database Administrator, With Unlimited

Access To The Data Source. Password Used To Encrypt/Decrypt The Master File. The Password(s) Of FOCUS Users Granted Access To A Data

Source. The DEFAULT Password Of A User Upon Entering FOCUS/WEBFOCUS Is Blank (‘ ‘).

User Password Information Contains: The Type Of Access The User Is Granted. Restrictions On That Data The Segments And Fields User Is Not Permitted To Retrieve. Values Which Become Automatic ‘Filters’ On The Data.



DBA=JONESABC,$

USER=SUPER ,ACCESS=RW, $

USER= ‘ ‘,ACCESS=R,RESTRICT=VALUE,

NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$

USER=HR ,ACCESS=R ,RESTRICT=SEGMENT, NAME=FUNDTRAN ,$

USER=MISAdmin, ACCESS=W, RESTRICT=VALUE, NAME=SALTEST,

VALUE=INCREASE+SALARY GE SALARY,$

ACCESS=R, RESTRICT=VALUE,

NAME=SYSTEM,VALUE=DEPARTMENT EQ ‘MIS’,$



Data Base Administrator - DBA=JONESABC,$

Every Data Source Having Access Limits Must Have A DBA. Groups Of Cross-referenced Data Sources (Or Files To Be Combined

Together), Must Have The Same DBA Value. Partitioned FOCUS/XFOCUS Data Sources, Which Are Read Together

In The Use Command Or Through An Access File Must Have The Same DBA Value.

The DBA Has Unlimited Access To The Data Source And All Cross-referenced Data Sources

You Cannot Encrypt And Decrypt Master Files Or Restrict Existing Data Sources Without The DBA Password.



USER Access to Data

USER = name

Name Is A Password Of Up To 64 Characters For The User. The Password Can Include Special Characters.

If The Password Contains Blanks, It Must Be Enclosed In Single Quotation Marks.

Passwords Are Case Sensitive SET DBACSENSITIV = ON

Or Case Insensitive SET DBACSENSITIV = OFF



Non-Overridable User Passwords SET PERMPASS = password

The PERMPASS Parameter Establishes A User Password That Remains In Effect Throughout A Session Or Connection.

The User Cannot Issue The SET PASS or SET USER Command To Change To A User Password With Different Security Rules. Any Attempt To Do So Generates The Following Message:

Permanent PASS Is In Effect. Your PASS Will Not Be Honored.

VALUE WAS NOT CHANGED FOCUS Passwords May Be Set In MVS Via The FOCUSID Exit, Which Sets

The User Password Based On RACF/ACF2/TOP SECRET Or Customer Specific Rules.

Returned Passwords Of 8 Characters Are Non-overridable. Returned Passwords Of Less Than 8 Characters Ending In . (Period) Are

Non-overridable.



ACCESS attribute

USER=password, ACCESS=RW,$

ACCESS=R Read-Only (TABLE/TABLEF/MATCH FILE) ACCESS=W Write Only (MODIFY/MAINTAIN) ACCESS=RW Read/Write (All FOCUS Commands) ACCESS=U Update Only (MODIFY/MAINTAIN, But No

New Records/Rows Will Be Included).



RESTRICT attributeUSER=name, ACCESS=access, RESTRICT=level, NAME=levelname,

[VALUE=test],$

FIELD - Specifies That The User Cannot Access The Named Fields

SEGMENT - Specifies That The User Cannot Access The Named Segments

PROGRAM - Specifies That The Program Named With The NAME Parameter Will Be Called Whenever The User Uses The Data Source .

SAME - Specifies That The User Has The Same Restrictions As The User Named In The NAME Parameter.

Noprint - Specifies That The Field Named In The Name Parameter Can Be Mentioned In A Request Statement, But Will Show Default Values Of Blank Or Zero.

This Option Is Not Supported With Relational Data Sources.



RESTRICT=VALUE,NAME=name,VALUE=test

ACCESS=R NAME = SYSTEM - The Test Specified In VALUE Will Be Applied For

Any Report Request Against The File. NAME = segname - The Test Specified In VALUE Will Be Applied For

Any Report Request That Requires The Segment Named. VALUE = test - Generates IF Test , So Must Be Of The Form:

field relation value [OR value …]



RESTRICT=VALUE,NAME=name,VALUE=test

ACCESS=W NAME=segname - The Test Is Applied Prior To Any UPDATE /

INCLUDE At That Segment Level NAME=testname - The Test Is Applied At Transaction Input As A

“Global” VALIDATE VALUE= test - Becomes VALIDATE Name/I1 = Testname;

Return Of 0 Fails The Validation, Anything Else Passes.



DBAFILE - Security Information in a Central Master File

DBAFILE Attribute Places All Passwords And Restrictions For Multiple Master Files In One Central File.

Each Individual Master File Points To This Central Control File. Groups Of Master Files With The Same DBA Password May Share A

Common DBAFILE Which Itself Has The Same DBA Password.

Benefits: Passwords Only Have To Be Stored Once When They Are Applicable

To A Group Of Data Sources Data Sources With Different User Passwords Can Be JOINed or

COMBINEd With Applicable Passwords Implemented.



FILE=filename …

END

DBA=dbaname, DBAFILE=filename ,$

Where:

dbaname Is the same as the dbaname in the central file.

filename Is the name of the central file.



FILENAME=EMPLOYEE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$

EMPLOYEE MASTER

FILENAME=JOBFILE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$

JOBFILE MASTER

FILENAME=EDUCFILE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$

EDUCFILE MASTER



FILENAME=DBAF4,SUFFIX=FOC,$SEGNAME=ONE,SEGTYPE=S1 FIELD=DUMMY,,A1,$ENDDBA=JONESABC,$USER=ADMIN,ACCESS=R,$USER=ADMIN2,ACCESS=R,$USER=SUPER ,ACCESS=RW,$

USER=,ACCESS=R,RESTRICT=VALUE,

NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$

FILENAME=JOBFILE,$USER=JOBADMIN,ACCESS=W,$

FILENAME=EDUCFILE,$USER=EDADMIN,ACCESS=W,$

DBAF4 MASTER



Limitations

ACCESS = R Must Be “IF” field relation value [OR value…]

ACCESS = W Must Be Phrased As Boolean (True/False)

Expression For Validate.

MASTER Must Be Encrypted Or All DBA Is Viewable

Changes To MFD’s Are Not Always Possible

Large Number Of Restrictions Becomes Difficult

Alternatives

IF Rule May Be Avoided With DEFINE In MASTER, And VALUE Restriction On DEFINE Field

For Security WITHOUT A MFD Change, Use FILTER FILE



RESTRICT=VALUE,NAME=TEST,

ACCESS= NAME=

RW DEPARTMENT EQ ‘MIS’ R RECORDLIMIT EQ 10W RECORDLIMIT EQ 10W CSAL * 1.10 LE 100000 R CSAL * 1.10 LE 100000W DEPARTMENT EQ ‘MIS’ AND CSAL GT 100000R DEPARTMENT EQ ‘MIS’ AND CSAL GT100000

VALID

INVALIDVALID

VALID

VALIDINVALID

INVALID


Restricting Access to a FileFILTER FILE

Restricts Access To Data Without Specifying Rules In The Master File.

DEFINITIONS At File Containing If Or Where Criteria.

Each “Filter” Can Be Activated Or Deactivated.

Active “Filters” Are In Effect For Any Request Against A File.

Can Be Built Within The Session, Or As Part Of Profile Processing For Dynamic Restrictions.

May Use &Variables For Selection Of Security



Syntax:

FILTER FILE filename [CLEAR|ADD][filter-defines;]NAME=filtername1 [,DESC=text]Where or if phrases...NAME=filternamen [,DESC=text]Where or if phrasesEND



FILTER ACTIVATION

SET FILTER= {*|xx[ yy zz]} IN file {ON|OFF}

Where:* Specifies ALL Filters For Specified Sourcexx yy zz Named Filters For Specified SourceON/OFF Activates Or Deactivates Specified Filter(s)



Example

FILTER FILE EMPDATAINCREASE/D7 = IF CJC EQ ‘B01’ THEN .20 ELSE 0;NAME=TEST1, WHERE INCREASE + SALARY GT SALARY;NAME= MIS, IF DEPARTMENT EQ ‘MIS’END

SET FILTER = TEST1 IN EMPDATA ON



Special Considerations

FILTER Are Valid For The Structure At The Time The FILTER FILE Is Issued.

JOIN Will Clear All Filters Declared For Host File Prior To The Join JOIN CLEAR Will Clear All FILTERS Declared For Host File AFTER

The JOIN Was Issued. SET KEEPFILTERS=On

Will Retain Filters Regardless Of Join Active Filters For A Cross-referenced File Are In Effect, And

Need Not Be Declared For The JOIN Structure.



Dynamic Filters

USERID WHERETEST ------ --------- WHERE RECORDLIMIT EQ 5 HR1 WHERE (CSAL * 1.1) LE 100000 HR2 WHERE DEPARTMENT EQ 'MIS' AND CSAL GT 100000 MIS WHERE DEPARTMENT EQ 'MIS' NEWEMP WHERE HIRE_DATE GE '19800101' SUPER WHERE DEPARTMENT NE ' ' U1 WHERE EMP_ID EQ &USERID

FILE=SECURITY,SUFFIX=FOC,SEGNAME=ONE,SEGTYPE=S0FIELD=USERID,,A8,$FIELD=WHERETEST,,A80,$ENDDBA=________,$


Restricting Access to a File FOCPARM/EDASPROF

-SET &USERID = GETUSER(‘A8’);FILEDEF SCE DISK SCE.FEX -SET &USERID1 = IF &USERID EQ ‘IBIWXB’ THEN ‘SUPER’- ELSE IF &USERID EQ ‘IBICJP’ THEN ‘MIS’ ELSE ‘ ‘;SET PASS=________TABLE FILE SECURITYPRINT WHERETESTWHERE USERID EQ ‘USERID1’ON TABLE SAVE AS SCEEND-RUNSET PASS = ‘ ‘FILTER FILE EMPDATANAME=SECURITY,-INCLUDE SCEENDSET FILTER =SECURITY IN EMPDATA ON


Restricting Access to a FileUSERID = IBIWXB (SUPER)

EMP_ID DEPARTMENT LAST_NAME FIRST_NAME------ ---------- --------- ----------071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN 123764317 PRODUCTION IRVING JOAN 126724188 PRODUCTION ROMANS ANTHONY 219984371 MIS MCCOY JOHN 326179357 MIS BLACKWOOD ROSEMARIE 451123478 PRODUCTION MCKNIGHT ROGER 543729165 MIS GREENSPAN MARY 818692173 MIS CROSS BARBARA


Restricting Access to a FileUSERID = IBINMR (‘ ‘)

PAGE 1 EMP_ID DEPARTMENT LAST_NAME FIRST_NAME ------ ---------- --------- ---------- 071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN


Review

DBA What Is It? How To Implement? Limitations DBA File

FILTERs How They Differ From DBA How To Use Dynamic Filtering


Questions

Documents

Restricting Access To a File