After you specify access permissions to objects in an object set and you specify which user IDs and groups have access, the object set must be enabled to make those specifications effective. Enabling an object set is the process by which those pre-specified permissions are actually applied to the security access control list for objects.
An object set is enabled directly or
indirectly, depending upon the existence of a parent-child relationship. If the object set being enabled has no children, it is enabled only for its own members and is said to be enabled directly.
An object set can include another object set as its object. Indirect enabling occurs when a child object set is enabled through the enabling of its parent,
but only for the members of the parent. This means that the same permissions specified for the members of the child object set are granted to members of the parent object set, when the parent is enabled.
In this example, P is the parent object set and C is the child. When the parent object set DOCORDERENTRY is enabled, the group STORES5G has insert access to DOCORDERITEMS and read access to DOCAUDITITEMS. However, PROJMGR8 does not have access to DOCAUDITITEMS since the child object set is not enabled for its own members.
TIBCO Object Service Broker Parameters for information about the WORKINGSET Data Object Broker parameter.
tells you the current status of the object set. The values displayed, ENABLED or DISABLED, indicate whether it is to be enabled or disabled when you use PF3 to exit from the screen.
You must first have access to the @MAKEMEMBERS tool for this process. You can execute
@MAKEMEMBERS without any additional setup if you use a level‑7 user ID. If you are using a level‑1 user ID, your user ID must first be added to the access list for the associated object set also named @MAKEMEMBERS and this object set must be enabled by a system administrator.
@MAKEMEMBERS takes the argument
object_set. The value you provide for
object_set is the name of the object set that is to be enabled. After executing
@MAKEMEMBERS, a screen similar to the following appears:
When an object set is enabled, you can no longer update the permissions to its component objects directly. This ensures that the integrity of the enabled object set is not compromised by changes in permissions to any of its individual objects.
When you enable an object set, you could receive a message indicating that permissions were lost when the object set was enabled. Use PF14 to display the report of lost permissions. Lost permissions are listed for those objects that are not included in other enabled object sets. They are permissions that were assigned directly to user IDs and groups and not through another enabled object set.
Using the information on lost permissions obtained through PF14, you can re-establish lost permissions that are still required. To re-establish them, you can define other object sets and specify the permissions required.
If application developer JONES lost his MOD_DFN rights to some payroll tables when the PAYROLL_READ object set was enabled, you could set up another object set called PAYROLL_MAINT. This second object set would provide JONES, and all other users requiring VIEW_DEFN and MOD_DFN access, with the ability to maintain the objects as required.
When you enable an object set using BATCH_ENABLE you can retain the permissions for existing members of the object set as well as the members listed in the @MAKEMEMBERS table or you can delete the existing members and just enable it for the members listed in @MAKEMEMBERS.
BATCH_ENABLE uses the argument
wipe_existing, which takes the values Y or N, to save or delete permissions for existing members:
You can add to or delete user IDs or groups from the object set membership list, using the Enable/Disable screen:
To provide a user or group of users with a different set of permissions to objects used in the object set, you can create another object set that includes these objects and the required permissions. After creating this list, you can provide access by enabling the new object set.
Disabling an object set is the process by which pre-specified permissions applied to the security access control list for objects through enabling are now deactivated.
TIBCO Object Service Broker Parameters about the WORKINGSET Data Object Broker parameter.