Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 7 Managing Object Set Security : Enabling and Disabling Object Sets

Enabling and Disabling Object Sets
Enabling an Object Set
What is Enabling an Object Set?
After you specify access permissions to objects in an object set and you specify which user IDs and groups have access, the object set must be enabled to make those specifications effective. Enabling an object set is the process by which those pre-specified permissions are actually applied to the security access control list for objects.
An object set is enabled directly or indirectly, depending upon the existence of a parent-child relationship. If the object set being enabled has no children, it is enabled only for its own members and is said to be enabled directly.
Indirect Enabling of an Object Set
An object set can include another object set as its object. Indirect enabling occurs when a child object set is enabled through the enabling of its parent, but only for the members of the parent. This means that the same permissions specified for the members of the child object set are granted to members of the parent object set, when the parent is enabled.
Example
To illustrate this point, consider the following example:
In this example, P is the parent object set and C is the child. When the parent object set DOCORDERENTRY is enabled, the group STORES5G has insert access to DOCORDERITEMS and read access to DOCAUDITITEMS. However, PROJMGR8 does not have access to DOCAUDITITEMS since the child object set is not enabled for its own members.
Who Can Enable an Object Set?
You can enable an object set provided that both the following conditions are met:
You have control access to all the objects in the object set. If a child object set is indirectly enabled, you must have security access to all its objects as well.
See Also
TIBCO Object Service Broker Parameters for information about the WORKINGSET Data Object Broker parameter.
Methods Available to Enable an Object Set
Methods Available
There are two ways to enable an object set, interactively or in batch mode. Both methods are described in the following sections.
Enabling an Object Set Interactively
On all the platforms supported by TIBCO Object Service Broker, you can enable an object set interactively. To access the screen for enabling an object set, refer to Adding and Updating Permissions for Object Types.
On the Enable/Disable ObjectSet screen, the information line:
This objectset is currently DISABLED; will be DISABLED on SAVE
tells you the current status of the object set. The values displayed, ENABLED or DISABLED, indicate whether it is to be enabled or disabled when you use PF3 to exit from the screen.
Use PF5 to toggle between the enable and disable modes.
Enabling Object Sets Using Batch Processing
You can enable an object through the use of an interactive screen and a batch process.
Prerequisite
You must first have access to the @MAKEMEMBERS tool for this process. You can execute @MAKEMEMBERS without any additional setup if you use a level‑7 user ID. If you are using a level‑1 user ID, your user ID must first be added to the access list for the associated object set also named @MAKEMEMBERS and this object set must be enabled by a system administrator.
@MAKEMEMBERS takes the argument object_set. The value you provide for object_set is the name of the object set that is to be enabled. After executing @MAKEMEMBERS, a screen similar to the following appears:

 
------------------------------------------------------------------------------
Enable/Disable ObjectSet DOCORDERENTRY
------------------------------------------------------------------------------
NOTE: This objectset is currently DISABLED ; will be DISABLED on SAVE
_ Name User or Group
(USERID | GROUP) Description
---------------- ----------------------------------------
STORES5G ALL DEPARTMENT STORE LOCATIONS
TELMKT12 TELEMARKETING - NORTHERN UNIT
TELMKT18 TELEMARKETING - EASTERN
 
PFKEYS: 1=HELP 6=USERIDS 9=GROUPS 21=VIEW 3=SAVE 5=ENABLE/DISABLE 12=CANCEL

 
Steps to Enabling an Object Set
1.
Execute the @MAKEMEMBERS tool to supply the names of the object sets and the names of the user IDs or groups who can use the object sets.
2.
You can add values by doing any of the following: typing in values, pressing PF6 to select from a list of all available user IDs, or pressing PF9 to select a group name from the list of all security groups.
To save any object set to be enabled later via the BATCH_ENABLE tool, you must have at least one member listed.
3.
4.
Submit the BATCH_ENABLE tool for asynchronous processing, using the SCHEDULE statement from within a rule.
BATCH_ENABLE does the actual enabling of all object sets previously processed using @MAKEMEMBERS. In a z/OS environment, you can submit the BATCH_ENABLE tool to a queue using the BATCH or $BATCHOPT tools.
See Also
TIBCO Object Service Broker Programming in Rules about the use of the SCHEDULE statement.
TIBCO Object Service Broker Shareable Tools about how to use the BATCH or $BATCHOPT tools to submit batch jobs.
Effects of Enabling on Individual Object Permissions
When an object set is enabled, you can no longer update the permissions to its component objects directly. This ensures that the integrity of the enabled object set is not compromised by changes in permissions to any of its individual objects.
Reporting Lost Permissions
When you enable an object set, you could receive a message indicating that permissions were lost when the object set was enabled. Use PF14 to display the report of lost permissions. Lost permissions are listed for those objects that are not included in other enabled object sets. They are permissions that were assigned directly to user IDs and groups and not through another enabled object set.
The information that you obtain by using PF14 is the only report you have on permissions lost in the enabling process. You can print it using PF13.
Re-establishing Permissions
Using the information on lost permissions obtained through PF14, you can re-establish lost permissions that are still required. To re-establish them, you can define other object sets and specify the permissions required.
Example
If application developer JONES lost his MOD_DFN rights to some payroll tables when the PAYROLL_READ object set was enabled, you could set up another object set called PAYROLL_MAINT. This second object set would provide JONES, and all other users requiring VIEW_DEFN and MOD_DFN access, with the ability to maintain the objects as required.
Saving Existing Permissions for Object Sets Enabled in Batch
When you enable an object set using BATCH_ENABLE you can retain the permissions for existing members of the object set as well as the members listed in the @MAKEMEMBERS table or you can delete the existing members and just enable it for the members listed in @MAKEMEMBERS.
Saving and Deleting When Using BATCH_ENABLE
BATCH_ENABLE uses the argument wipe_existing, which takes the values Y or N, to save or delete permissions for existing members:
Updating Object Permissions When an Object Set is Enabled
You can add to or delete user IDs or groups from the object set membership list, using the Enable/Disable screen:
To add a user ID or group, press PF6 or PF9 and make the required selections.
To delete a user ID or group, position your cursor on the user ID or group that you want to delete from the object set membership list and erase the name or overtype it with blanks.
After making the change, press PF3 to save.
To provide a user or group of users with a different set of permissions to objects used in the object set, you can create another object set that includes these objects and the required permissions. After creating this list, you can provide access by enabling the new object set.
Disabling an Object Set
What is Disabling an Object Set?
Disabling an object set is the process by which pre-specified permissions applied to the security access control list for objects through enabling are now deactivated.
Who Can Disable an Object Set?
You can disable an object set provided that both the following conditions are met:
You have control access to all the objects in the object set. If a child object set was indirectly enabled, you must have security access to all its objects as well.
Steps for Disabling an Object Set
To disable an object set for all users, complete the following steps:
1.
Refer to Invoking the Enable/Disable Object Set Screen for further information.
2.
The status line indicates that the object set is currently enabled and is disabled when you save.
3.
What Changes Can You Make?
After the object set is disabled, you can:
After changes are made, you can enable the object set again. Refer to Enabling an Object Set.
See Also
TIBCO Object Service Broker Parameters about the WORKINGSET Data Object Broker parameter.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved