|
In this section: |
|
How to: |
The ACCESS attribute determines what a user can do with a data source.
The optional RESTRICT attribute further restricts a user access to certain fields, values, or segments.
The RESTRICT=VALUE attribute supports those criteria that are supported by the IF phrase. The RESTRICT=VALUE_WHERE attribute supports all criteria supported in a WHERE phrase, including comparison between fields and use of functions. The WHERE expression will be passed to a configured adapter when possible.
...RESTRICT=level, NAME={name|SYSTEM} [,VALUE=test],$
or
...RESTRICT=VALUE_WHERE, NAME=name, VALUE=expression; ,$
where:
Can be one of the following:
USER=MARY ,ACCESS=R ,RESTRICT=NOPRINT ,NAME=EMP_ID , VALUE=CURR_SAL LT 10000;,$
Note: A field with RESTRICT=NOPRINT can be referenced in a display command (verb), but not in any type of filtering command, such as IF, WHERE, FIND, LOOKUP, or VALIDATE.
Is the name of the field or segment to restrict. When used after NOPRINT, this can only be a field name. NAME=SYSTEM, which can only be used with value tests, restricts every segment in the data source, including descendant segments. Multiple fields or segments can be specified by issuing the RESTRICT attribute several times for one user.
Note: With value restrictions, NAME=segment restricts the named segment and any segment lower in the hierarchy, whether or not an alternate file view changes the retrieval view. This means that if a parent segment has a value restriction, and a join or alternate file view makes a child segment the new root, the value restriction on the original parent will still apply to the new root.
Specifies that the user can have access to only those values that meet the test described in the test parameter.
Is the value test that the data must meet before the user can have access to it. The test is an expression supported in an IF phrase.
Specifies that the user can have access to only those values that meet the test described in the expression parameter.
Is the value test that the data must meet before the user can have access to it. The test is an expression supported in a WHERE phrase.
Note: The semicolon (;) is required.
Add the following DBA declarations to the end of the GGSALES Master File. These declarations give USER1 access to the West region and to products that start with the letter C:
END
DBA = USERD,$
USER = USER1, ACCESS = R, NAME = SALES01, RESTRICT = VALUE_WHERE,
VALUE = REGION EQ 'West' AND PRODUCT LIKE 'C%'; ,$ The following request sets the password to USER1 and sums dollar sales and units by REGION, CATEGORY, and PRODUCT:
SET USER = USER1 TABLE FILE GGSALES SUM DOLLARS UNITS BY REGION BY CATEGORY BY PRODUCT END
The output only displays those regions and products that satisfy the WHERE expression in the Master File:
Region Category Product Dollar Sales Unit Sales
------ -------- ------- ------------ ----------
West Coffee Capuccino 915461 72831
Food Croissant 2425601 197022
Gifts Coffee Grinder 603436 48081
Coffee Pot 613624 47432
If the RESTRICT=VALUE_WHERE attribute is changed to a RESTRICT=VALUE attribute, the expression is not valid, the following message is generated, and the request does not execute:
(FOC002) A WORD IS NOT RECOGNIZED: LIKE 'C%'
USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG,$
|
How to: |
The RESTRICT attribute identifies the segments or fields that the user will not be able to access. Anything not named in the RESTRICT attribute will be accessible.
Without the RESTRICT attribute, the user has access to the entire data source. Users may be limited to reading, writing, or updating new records, but every record in the data source is available for the operation.
...RESTRICT=level, NAME=name,$
where:
Can be one of the following:
FIELD specifies that the user cannot access the fields named with the NAME parameter.
SEGMENT specifies that the user cannot access the segments named with the NAME parameter.
SAME specifies that the user has the same restrictions as the user named in the NAME parameter.
NOPRINT specifies that the field named in the NAME or SEGMENT parameter can be mentioned in a request statement but will not appear. When used after NOPRINT, NAME can only be a field name. A field with RESTRICT=NOPRINT can be referenced in a display command (verb), but not in any type of filtering command, such as IF, WHERE, FIND, LOOKUP, or VALIDATE.
Is the name of the field or segment to restrict. When used after NOPRINT, this can only be a field name.
NAME=SYSTEM, which can only be used with value tests, restricts every segment in the data source, including descendant segments. Multiple fields or segments can be specified by issuing the RESTRICT attribute several times for one user.
USER=HARRY, ACCESS=R, RESTRICT=FIELD, NAME=A,$ RESTRICT=SEGMENT, NAME=B,$
In the following example, Bill has read-only access to everything in the data source except the COMPSEG segment:
USER=BILL ,ACCESS=R ,RESTRICT=SEGMENT ,NAME=COMPSEG,$
In the following example, both Sally and Harry have the same access privileges as BILL. In addition, Sally is not allowed to read the SALARY field.
USER=BILL, ACCESS=R, RESTRICT=VALUE, NAME=IDSEG,
VALUE=DIVISION EQ 'WEST',$
USER=SALLY, ACCESS=R, RESTRICT=SAME, NAME=BILL,$
RESTRICT=FIELD, NAME=SALARY,$
USER=HARRY, ACCESS=R, RESTRICT=SAME, NAME=BILL,$
Note: A restriction on a segment also affects access to its descendants.
|
How to: |
You can also restrict the values to which a user has access by providing a test condition in your RESTRICT attribute. The user is restricted to using only those values that satisfy the test condition.
You can restrict values in one of two ways: by restricting the values the user can read from the data source, or restricting what the user can write to a data source. These restrictions are two separate functions: one does not imply the other. You use the ACCESS attribute to specify whether the values the user reads or the values the user writes are restricted.
You restrict the values a user can read by setting ACCESS=R and RESTRICT=VALUE. This type of restriction prevents the user from seeing any data values other than those that meet the test condition provided in the RESTRICT attribute. A RESTRICT attribute with ACCESS=R functions as an involuntary IF statement in a report request. Therefore, the syntax for ACCESS=R value restrictions must follow the rules for an IF test in a report request.
Note: RESTRICT=VALUE is not supported in Maintain Data.
...ACCESS=R, RESTRICT=VALUE, NAME=name, VALUE=test,$
where:
Is the name of the segment which, if referenced, activates the test. To specify all segments in the data source, specify NAME=SYSTEM.
Is the test being performed.
USER=TONY, ACCESS=R, RESTRICT=VALUE, NAME=IDSEG,
VALUE=DIVISION EQ 'WEST',$
With this restriction, Tony can only see records from the western division.
You type the test expression after VALUE=. The syntax of the test condition is the same as that used by the TABLE command to screen records, except the word IF does not precede the phrase. (Screening conditions in the TABLE command are discussed in the Creating Reports With TIBCO WebFOCUS® Language manual.) Should several fields have tests performed on them, separate VALUE attributes must be provided. Each test must name the segment to which it applies. For example:
USER=DICK, ACCESS=R, RESTRICT=VALUE, NAME=IDSEG,
VALUE=DIVISION EQ 'EAST' OR 'WEST',$
NAME=IDSEG,
VALUE=SALARY LE 10000,$If a single test condition exceeds the allowed length of a line, it can be provided in sections. Each section must start with the attribute VALUE= and end with the terminator (,$). For example:
USER=SAM, ACCESS=R, RESTRICT=VALUE, NAME=IDSEG,
VALUE=DIVISION EQ 'EAST' OR 'WEST',$
VALUE=OR 'NORTH' OR 'SOUTH',$
Note: The second and subsequent lines of a value restriction must begin with the keyword OR.
You can apply the test conditions to the parent segments of the data segments on which the tests are applicable. Consider the following example:
USER=DICK, ACCESS=R, RESTRICT=VALUE, NAME=IDSEG,
VALUE=DIVISION EQ 'EAST' OR 'WEST',$
NAME=IDSEG,
VALUE=SALARY LE 10000,$
The field named SALARY is actually part of a segment named COMPSEG. Since the test is specified with NAME=IDSEG, the test is made effective for requests on its parent, IDSEG. In this case, the request PRINT FULLNAME would only print the full names of people who meet this test, that is, whose salary is less than or equal to $10,000, even though the test is performed on a field that is part of a descendant segment of IDSEG. If, however, the test was made effective on COMPSEG, that is, NAME=COMPSEG, then the full name of everyone in the data source could be retrieved, but with the salary information of only those meeting the test condition.
In many cases, it will prove useful to issue both ACCESS=W (for data maintenance) and ACCESS=R (for TABLE) value restrictions for a user. This will both limit the values a user can write to the data source and limit the data values that the user can actually see. You do this by issuing a RESTRICT=VALUE attribute with ACCESS=R to prohibit the user from seeing any values other than those specified in the test condition. You then issue a RESTRICT=VALUE attribute with ACCESS=W that specifies the write restrictions placed on the user. You cannot use ACCESS=RW to do this.
Note: Write restrictions apply to data maintenance facilities not discussed in this manual. For more information, see the Maintain Data documentation.