With ordinary persistent tables (for example, TDS), access to the table definition controls access to the data contained in the table, that is, the definition of a table uniquely identifies the data. Therefore, suitable setting of user and group access to the definitions controls who can read and write the data.
Ordinary non-persistent tables (EES, TEM and SES) have global definitions but local data. Even if multiple users have access to the table definition, the data is always local to the transaction or session and there is no possibility of unauthorized access.
MAP tables are significantly different because the table definition plays no part in controlling access to the data. The definition specifies the layout of the data in storage and its mapping to fields but the location of the data in storage is uniquely specified by the value of the address parameter of the table.
MAP table data access is controlled indirectly using the system interpreted table @MAP.
@MAP is used to allocate and register storage for use by MAP tables. Without this control, a user who is denied access to a MAP table definition could define a new MAP table and then at runtime supply the storage address of the desired data via the address parameter.
To access data at a particular address with a MAP table, an occurrence representing that address must exist in the
@MAP table. If no such occurrence exists, the table access fails and the DATAREFERENCE exception is raised. The
ADDRESS field of
@MAP can be thought of as a reference field for the address parameter of the MAP table. It is not necessary for the address of the occurrence in
@MAP to exactly match the address parameter of the MAP table; access succeeds as long as the storage mapped by the MAP table does not extend outside the boundaries described by the occurrence in
@MAP.
In addition, occurrences in @MAP contain an implicit permission for read-only access (GET and FORALL) or for read/write access (REPLACE). This permission is based on the parameter set of
@MAP where the occurrence appears. All parameter sets except EXTERNALRO allow both read and write access. EXTERNALRO allows read access only.