In this section: |
Reference: |
You provide WebFOCUS security on a file-by-file basis. Implementing DBA security features is a straightforward process in which you specify:
The declarations (called security declarations) follow the END command in a Master File and tell WebFOCUS that security is needed for the data source and what type of security is needed. Each security declaration consists of one or several of the following attributes:
RW, which allows a user to both read and write to a data source.
R, which allows a user only to read data in a data source.
W, which allows a user to only write new segment instances to a data source.
U, which allows a user only to update records in a data source.
Describe your data source security by specifying values for these attributes in a comma-delimited format, just as you specify any other attribute in the Master File.
The word END on a line by itself in the Master File terminates the segment and field attributes and indicates that the access limits follow. If you place the word END in a Master File, it must be followed by at least a DBA attribute.
The following is a Master File that uses security features:
FILENAME = PERS, SUFFIX = FOC,$ SEGMENT = IDSEG, SEGTYPE = S1,$ FIELD = SSN ,ALIAS = SSN ,FORMAT = A9 ,$ FIELD = FULLNAME ,ALIAS = FNAME ,FORMAT = A40 ,$ FIELD = DIVISION ,ALIAS = DIV ,FORMAT = A8 ,$ SEGMENT=COMPSEG, PARENT=IDSEG, SEGTYPE=S1,$ FIELD = SALARY ,ALIAS = SAL ,FORMAT = D8 ,$ FIELD = DATE ,ALIAS = DATE ,FORMAT = YMD ,$ FIELD = INCREASE ,ALIAS = INC ,FORMAT = D6 ,$ END DBA=JONES76,$ USER=TOM ,ACCESS=RW, $ USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG ,$ USER=JOHN ,ACCESS=R ,RESTRICT=FIELD ,NAME=SALARY ,$ NAME=INCREASE ,$ USER=LARRY ,ACCESS=U ,RESTRICT=FIELD ,NAME=SALARY ,$ USER=TONY ,ACCESS=R ,RESTRICT=VALUE ,NAME=IDSEG, VALUE=DIVISION EQ 'WEST' ,$ USER=MARY ,ACCESS=W ,RESTRICT=VALUE ,NAME=SALTEST, VALUE=INCREASE+SALARY GE SALARY,$ NAME=HISTTEST, VALUE=DIV NE ' ' AND DATE GT 0,$
How to: |
The first security attribute should be a password that identifies the Database Administrator. This password can be up to 64 characters long and is not case-sensitive. It can include special characters. If the DBA password contains blanks, it must be enclosed in single quotation marks. Since nothing else is needed, this line is terminated by the usual delimiter (,$).
Note:
DBA=JONES76,$
The DBA has the freedom to change any of the security attributes. If you change the DBA password in the Master File for an existing FOCUS data source, you must use the RESTRICT command to store the changed DBA password in each FOCUS data source affected by the change. Unless this is done, WebFOCUS assumes that the new description is an attempt to bypass the restriction rules. You use the following procedure for each data source affected:
SET PASS=old_DBA_password
RESTRICT mastername END
SET PASS=new_DBA_password
With the SET HOLDSTAT command, you can identify a data source containing DBA information and comments to be automatically included in HOLD and PCHOLD Master Files. For more information about the SET HOLDSTAT command, see the Developing Reporting Applications manual.
How to: |
The USER attribute is a password that identifies the users who have legitimate access to the data source. A USER attribute cannot be specified alone. It must be followed by at least one ACCESS restriction (discussed in Specifying an Access Type: The ACCESS Attribute) to specify what sort of ACCESS the user is granted.
Before using a secured data source, a user must enter the password using the SET PASS or SET USER command. If that password is not included in the Master File, the user is denied access to the data source. When the user does not have a password, or has one that is inadequate for the type of access requested, the following message appears:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: filename
Any user whose name or password is not declared in the Master File is denied access to that data source. The syntax of the USER attribute is
USER = name
where:
Is a password of up to 64 characters for the user. The password can include special characters and is not case-sensitive. If the password contains blanks, it must be enclosed in single quotation marks.
You can specify a blank password (default value if not previously changed). Such a password does not require the user to issue a SET PASS= command. A blank password may still have access limits and is convenient when a number of users have the same access rights.
USER=TOM,...
An example of setting a user password to blank, and access to read only follows:
USER= , ACCESS=R,$
How to: |
The PERMPASS parameter establishes a user password that remains in effect throughout a session or connection. You can issue this setting in any supported profile but is most useful when established for an individual user by setting it in a user profile. It cannot be set in an ON TABLE phrase. It is recommended that it not be set in EDASPROF because it would then apply to all users.
All security rules established in the DBA sections of existing Master Files are respected when PERMPASS is in effect. The user cannot issue the SET PASS or SET USER command to change to a user password with different security rules. Any attempt to do so generates the following message:
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
Note: Only one permanent password can be established in a session. Once it is set, it cannot be changed within the session.
SET PERMPASS=userpass
where:
Is the user password used for all access to data sources with DBA security rules established in their associated Master Files.
Consider the MOVIES Master File with the following DBA rules in effect:
DBA=USER1,$ USER = USERR, ACCESS = R ,$ USER = USERU, ACCESS = U ,$ USER = USERW, ACCESS = W ,$ USER = USERRW, ACCESS = RW,$
The following FOCEXEC sets a permanent password:
SET PERMPASS = USERU TABLE FILE MOVIES PRINT TITLE BY DIRECTOR END
The user has ACCESS=U and, therefore, is not allowed to issue a table request against the file:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: CAR BYPASSING TO END OF COMMAND
The permanent password cannot be changed:
SET PERMPASS = USERRW
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
The user password cannot be changed:
SET PASS = USERRW
(FOC32409) A permanent PASS is in effect. Your PASS will not be honored. VALUE WAS NOT CHANGED
How to: |
When a DBA or user issues the SET USER, SET PERMPASS or SET PASS command, this user ID is validated before they are given access to any data source whose Master File has DBA attributes. The password is also checked when encrypting or decrypting a FOCEXEC.
The SET DBACSENSITIV command determines whether the password is converted to uppercase prior to validation.
SET DBACSENSITIV = {ON|OFF}
where:
Does not convert passwords to uppercase. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are case-sensitive.
Converts passwords to uppercase prior to validation. All comparisons between the password set by the user and the password in the Master File or FOCEXEC are not case-sensitive. OFF is the default value.
Consider the following DBA declaration added to the EMPLOYEE Master File:
USER = User2, ACCESS = RW,$
User2 wants to report from the EMPLOYEE data source and issues the following command:
SET USER = USER2
With DBACSENSITIV OFF, User2 can run the request even though the case of the password entered does not match the case of the password in the Master File.
With DBACSENSITIV ON, User2 gets the following message:
(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:
With DBACSENSITIV ON, the user must issue the following command:
SET USER = User2
How to: |
A user must enter his or her password before using any FOCUS data source that has security specified for it. A single user may have different passwords in different files. For example, in file ONE, the rights of password BILL apply, but in file TWO, the rights of password LARRY apply. Use the SET PASS command to establish the passwords.
SET {PASS|USER} = name [[IN {file|* [NOCLEAR]}], name [IN file] ...]
where:
Is the user name or password. If a character used in the password has a special meaning in your operating environment (for example, as an escape character), you can issue the SET USER command in a FOCEXEC and execute the FOCEXEC to set the password. If the password contains a blank, you do not have to enclose it in single quotation marks when issuing the SET USER command.
Is the name of the Master File to which the password applies.
Indicates that name replaces all passwords active in all files.
Provides a way to replace all passwords in the list of active passwords while retaining the list.
In the following example, the password TOM is in effect for all data sources that do not have a specific password designated for them:
SET PASS=TOM
For the next example, in file ONE the password is BILL, and in file TWO the password is LARRY. No other files have passwords set for them:
SET PASS=BILL IN ONE, LARRY IN TWO
Here, all files have password SALLY except files SIX and SEVEN, which have password DAVE.
SET PASS=SALLY, DAVE IN SIX SET PASS=DAVE IN SEVEN
The password is MARY in file FIVE and FRANK in all other files:
SET PASS=MARY IN FIVE,FRANK
A list of the files for which a user has set specific passwords is maintained. To see the list of files, issue:
? PASS
When the user sets a password IN * (all files), the list of active passwords collapses to one entry with no associated file name. To retain the file name list, use the NOCLEAR option.
In the next example, the password KEN replaces all passwords active in all files, and the table of active passwords is folded to one entry:
SET PASS=KEN IN *
In the following, MARY replaces all passwords in the existing table of active passwords (which consists of files NINE and TEN) but FRANK is the password for all other files. The option NOCLEAR provides a shorthand way to replace all passwords in a specific list:
SET PASS=BILL IN NINE,TOM IN TEN SET PASS=MARY IN * NOCLEAR,FRANK
Note: The FIND function does not work with COMBINEd data sources secured with different passwords.
Users must issue passwords using the SET PASS command during each session in which they use a secured data source. They may issue passwords at any time before using the data source and can issue a different password afterward to access another data source.