Controlling the Source of Access Restrictions in a Multi-file Structure

How to:

Reference:

The DBASOURCE parameter determines which security attributes are used to grant access to multi-file structures. By default, access restrictions are based on the host file in a JOIN structure or the last file in a COMBINE structure. If you set the DBASOURCE parameter to ALL, access restrictions from all files in a JOIN or COMBINE structure will be enforced.

Note: You can also create and implement a DBAFILE to contain and enforce the access restrictions from all files in a JOIN or COMBINE structure. For information about using a central Master File to contain access restrictions, see Placing Security Information in a Central Master File.

The SET DBASOURCE command can only be issued one time in a session or connection. Any attempt to issue the command additional times will be ignored. If the value is set in a profile, no user can change it at any point in the session.

When DBASOURCE=ALL:

When DBASOURCE=HOST:

Syntax: How to Control Enforcement of Access Restrictions in a JOIN or COMBINE Structure

SET DBASOURCE = {HOST|ALL}

where:

HOST

Enforces access restrictions only from the host file in a JOIN structure or the last file in a COMBINE structure unless a DBAFILE is used to enforce access restrictions to other files in the structure. HOST is the default value.

ALL

Requires the user to have read access to every file in a JOIN or COMBINE structure. The user needs W, U, or RW access to a file in a COMBINE structure when an INCLUDE, UPDATE, or DELETE command is issued against that file.

Reference: Usage Notes for SET DBASOURCE

  • All files in the JOIN or COMBINE structure must have the same DBA password. If the DBA attributes are not the same, there will be no way to access the structure.
  • If the SET DBASOURCE command is issued more than once in a session, the following message displays and the value is not changed:
    (FOC32575) DBASOURCE  CANNOT BE RESET 
    VALUE WAS NOT CHANGED

Example: Controlling Access Restrictions in a JOIN

The following request joins the TRAINING data source to the EMPDATA and COURSE data sources and then issues a request against the joined structure:

JOIN CLEAR *
JOIN COURSECODE IN TRAINING TO COURSECODE IN COURSE AS J1
JOIN PIN IN TRAINING TO PIN IN EMPDATA AS J2
TABLE FILE TRAINING
PRINT COURSECODE AS 'CODE' CTITLE
   LOCATION AS 'LOC'
BY LASTNAME
WHERE COURSECODE NE '   '
WHERE LOCATION EQ 'CA' OR LOCATION LIKE 'N%'
END

When the Master Files do not have DBA attributes, the output is:

LASTNAME         CODE     CTITLE                               LOC
--------         ----     ------                               ---
ADAMS            EDP750   STRATEGIC MARKETING PLANNING         NJ 
CASTALANETTA     EDP130   STRUCTURED SYS ANALYSIS WKSHP        NY 
                 AMA130   HOW TO WRITE USERS MANUAL            CA 
CHISOLM          EDP690   APPLIED METHODS IN MKTG RESEARCH     NJ 
FERNSTEIN        MC90     MANAGING DISTRIBUTOR SALE NETWORK    NY 
GORDON           SFC280   FUND OF ACCTG FOR SECRETARIES        NY 
LASTRA           MC90     MANAGING DISTRIBUTOR SALE NETWORK    NY 
MARTIN           EDP130   STRUCTURED SYS ANALYSIS WKSHP        CA 
MEDINA           EDP690   APPLIED METHODS IN MKTG RESEARCH     NJ 
OLSON            PU168    FUNDAMNETALS OF MKTG COMMUNICATIONS  NY 
RUSSO            PU168    FUNDAMNETALS OF MKTG COMMUNICATIONS  NY 
SO               BIT420   EXECUTIVE COMMUNICATION              CA 
WANG             PU440    GAINING COMPETITIVE ADVANTAGE        NY 
WHITE            BIT420   EXECUTIVE COMMUNICATION              CA 

Now, add the following DBA attributes to the bottom of the TRAINING Master File:

END
DBA = DBA1,$
USER = TUSER, ACCESS =R,$

Running the same request produces the following message:

(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE:
TRAINING
BYPASSING TO END OF COMMAND

Now, issue the following SET PASS command:

SET PASS = TUSER

Add the following DBA attributes to the bottom of the COURSE Master File:

END                       
DBA = DBA1,$           
USER = CUSER, ACCESS = R,$

Add the following DBA attributes to the bottom of the EMPDATA Master File:

END                       
DBA = DBA1,$           
USER = EUSER, ACCESS = R,$

Note that the DBA attribute has the same value in all of the Master Files.

Now, run the request again. There will be no security violation, and the report output will be generated. Since the DBASOURCE parameter is set to HOST (the default), you can run the request using a password that is valid only in the host file.

Now, set the DBASOURCE parameter to ALL:

SET DBASOURCE = ALL
SET PASS = TUSER

Running the request produces the following message because TUSER is not a valid user for the COURSE data source:

(FOC052) THE USER DOES NOT HAVE ACCESS TO THE FIELD: CTITLE

Now, issue the following SET PASS command that sets a valid password for each file in the structure:

SET PASS = TUSER IN TRAINING, CUSER IN COURSE, EUSER IN EMPDATA

You can now run the request and generate the report output.

Once SET DBASOURCE command has been issued, its value cannot be changed. The following SET command attempts to change the value to HOST, but the query command output shows that it was not changed:

>  > set dbasource = host           
(FOC32575) DBASOURCE CANNOT BE RESET
VALUE WAS NOT CHANGED