Placing Security Information in a Central Master File
The DBAFILE attribute enables you to place all passwords and restrictions for multiple Master Files in one central file. Each individual Master File points to this central control file. Groups of Master Files with the same DBA password may share a common DBAFILE which itself has the same DBA password.
There are several benefits to this technique, including:
- Passwords only have to be stored once when they are applicable to a group of data sources, simplifying password administration.
- Data sources with different user passwords can be JOINed or COMBINEd. In addition, individual DBA information remains in effect for each data source in a JOIN or COMBINE.
The central DBAFILE is a standard Master File. Other Master Files can use the password and security restrictions listed in the central file by specifying its file name with the DBAFILE attribute.
- All Master Files that specify the same DBAFILE have the same DBA password.
- The central DBAFILE, like any Master File, must contain at least one segment declaration and one field declaration before the END statement that signifies the presence of DBA information. Even if a required attribute is not assigned a specific value, it must be represented by a comma. The DBA password in the DBAFILE is the same as the password in all the Master Files that refer to it. This prevents individuals from substituting their own security. All Master Files should be encrypted.
- The DBAFILE may contain a list of passwords and restrictions following the DBA password. These passwords apply to all data sources that reference this DBAFILE. In the example in Placing Security Attributes in a Central Master FileThe following example shows a group of Master Files that share a common DBAFILE named FOUR: ONE MASTER FILENAME=ONE . . END DBA=ABC, DBAFILE=FOUR,$TWO MASTER FILENAME=TWO . . END DBA=ABC, DBAFILE=FOUR,$THREE MASTER FILENAME=THREE . . END DBA=ABC, DBAFILE=FOUR,$FOUR MASTER FILENAME=FOUR,$ SEGNAME=mmmmm,$ FIELDNAME=fffff,$ END DBA=ABC,$ PASS=BILL,ACCESS=R,$ PASS=JOE,ACCESS=R,$ FILENAME=TWO,$ PASS=HARRY,ACCESS=RW,$ FILENAME=THREE,$ PASS=JOE,ACCESS=R,RESTRICT=...,$ PASS=TOM,ACCESS=R,$, PASS=BILL, with ACCESS=R (read only), applies to all data sources that contain the attribute DBAFILE=FOUR.
- After the common passwords, the DBAFILE may specify data source-specific passwords and additions to general passwords. You implement this feature by including FILENAME attributes in the DBA section of the DBAFILE (for example, FILENAME=TWO). See Placing Security Information in a Central Master File for additional information about the FILENAME attribute.
- Data source-specific restrictions override general restrictions for the specified data source. In the case of a conflict, passwords in the FILENAME section take precedence. For example, a DBAFILE might contain ACCESS=RW in the common section, but specify ACCESS=R for the same password by including a FILENAME section for a particular data source.
- Value restrictions accumulate. All value restrictions must be satisfied before retrieval. In the preceding example, note the two occurrences of PASS=JOE. JOE is a common password for all data sources, but in FILENAME=THREE it carries an extra restriction, RESTRICT=..., which applies only to data source THREE.
Place Security Attributes in a Central Master File
END DBA=dbaname, DBAFILE=filename ,$
Is the same as the dbaname in the central file.
Is the name of the central file.
You can specify passwords and restrictions in a DBAFILE that apply to every Master File that points to that DBAFILE. You can also include passwords and restrictions for specific Master Files by including FILENAME attributes in the DBAFILE.
Placing Security Attributes in a Central Master File
The following example shows a group of Master Files that share a common DBAFILE named FOUR:
ONE MASTER FILENAME=ONE . . END DBA=ABC, DBAFILE=FOUR,$
TWO MASTER FILENAME=TWO . . END DBA=ABC, DBAFILE=FOUR,$
THREE MASTER FILENAME=THREE . . END DBA=ABC, DBAFILE=FOUR,$
FOUR MASTER FILENAME=FOUR,$ SEGNAME=mmmmm,$ FIELDNAME=fffff,$ END DBA=ABC,$ PASS=BILL,ACCESS=R,$ PASS=JOE,ACCESS=R,$ FILENAME=TWO,$ PASS=HARRY,ACCESS=RW,$ FILENAME=THREE,$ PASS=JOE,ACCESS=R,RESTRICT=...,$ PASS=TOM,ACCESS=R,$
Using DBAFILE With a Join Structure
The following request joins the TRAINING data source to the EMPDATA and COURSE data sources, and then issues a request against the joined structure:
JOIN CLEAR * JOIN COURSECODE IN TRAINING TO COURSECODE IN COURSE AS J1 JOIN PIN IN TRAINING TO PIN IN EMPDATA AS J2 TABLE FILE TRAINING PRINT COURSECODE AS 'CODE' CTITLE LOCATION AS 'LOC' BY LASTNAME WHERE COURSECODE NE ' ' WHERE LOCATION EQ 'CA' OR LOCATION LIKE 'N%' END
When the Master Files do not have DBA attributes, the output is:
LASTNAME CODE CTITLE LOC
-------- ---- ------ ---
ADAMS EDP750 STRATEGIC MARKETING PLANNING NJ
CASTALANETTA EDP130 STRUCTURED SYS ANALYSIS WKSHP NY
AMA130 HOW TO WRITE USERS MANUAL CA
CHISOLM EDP690 APPLIED METHODS IN MKTG RESEARCH NJ
FERNSTEIN MC90 MANAGING DISTRIBUTOR SALE NETWORK NY
GORDON SFC280 FUND OF ACCTG FOR SECRETARIES NY
LASTRA MC90 MANAGING DISTRIBUTOR SALE NETWORK NY
MARTIN EDP130 STRUCTURED SYS ANALYSIS WKSHP CA
MEDINA EDP690 APPLIED METHODS IN MKTG RESEARCH NJ
OLSON PU168 FUNDAMNETALS OF MKTG COMMUNICATIONS NY
RUSSO PU168 FUNDAMNETALS OF MKTG COMMUNICATIONS NY
SO BIT420 EXECUTIVE COMMUNICATION CA
WANG PU440 GAINING COMPETITIVE ADVANTAGE NY
WHITE BIT420 EXECUTIVE COMMUNICATION CA
The EMPDATA Master File will be the central DBAFILE for the request. Add the following DBA attributes to the bottom of the EMPDATA Master File:
END DBA=DBA1,$ USER = EUSER, ACCESS = R,$ FILENAME = COURSE USER = CUSER2, ACCESS=RW,$
With these DBA attributes, user EUSER will have read access to all files that use EMPDATA as their DBAFILE. User CUSER2 will have read/write access to the COURSE data source.
Add the following security attributes to the bottom of the COURSE Master File. These attributes make the EMPDATA Master File the central file that contains the security attributes to use for access to the COURSE data source and it sets the DBA attribute to the same value as the DBA attribute in the EMPDATA Master File:
END DBA = DBA1, DBAFILE=EMPDATA,$
Add the following security attributes to the bottom of the TRAINING Master File. These attributes make the EMPDATA Master File the central file that contains the security attributes to use for access to the TRAINING data source and it sets the DBA attribute to the same value as the DBA attribute in the EMPDATA Master File:
END DBA = DBA1, DBAFILE=EMPDATA,$
Now, in order to run a request against the JOIN structure, there must be a current user password with read access in effect for each file in the JOIN. Issue the following SET PASS command and run the request:
SET PASS = EUSER
or
SET PASS = EUSER IN *
The request runs and produces output because EUSER is a valid user in each of the files in the join.
Since the EMPDATA Master File identifies CUSER2 as a valid user for the COURSE Master File, you can also run the request with the following SET PASS command:
SET USER = EUSER IN EMPDATA, EUSER IN TRAINING, CUSER2 IN COURSE
Issuing a SET PASS command that does not specify a valid password for each file in the JOIN structure produces one of the following messages, and the request does not run:
(FOC052) THE USER DOES NOT HAVE ACCESS TO THE FIELD: fieldname(FOC047) THE USER DOES NOT HAVE SUFFICIENT ACCESS RIGHTS TO THE FILE: filename
File Naming Requirements for DBAFILE
When a DBAFILE includes a FILENAME attribute for a specific Master File, the FILENAME attribute in the referencing Master File must be the same as the FILENAME attribute in the DBA section of the DBAFILE. This prevents users from renaming a Master File to a name unknown by the DBAFILE.
DBAFILE Naming Conventions
ONE MASTER FILENAME=XONE . . . END DBA=ABC, DBAFILE=FOUR,$ FOUR MASTER FILENAME=XFOUR . . . END DBA=ABC,$ . . . FILENAME=XONE,$ . . .
ONE MASTER is referred to in requests as TABLE FILE ONE. However, both ONE MASTER and the DBA section of the DBAFILE, FOUR MASTER, specify FILENAME=XONE.
For security reasons, the FILENAME attribute in the Master File containing the DBAFILE information should not be the same as the name of that Master File. Note that in Master File FOUR, the FILENAME attribute specifies the name XFOUR.
Connection to an Existing DBA System With DBAFILE
If there is no mention of the new attribute, DBAFILE, there will be no change in the characteristics of an existing system. In the current system, when a series of data sources is JOINed, the first data source in the list is the controlling data source. Its passwords are the only ones examined. For a COMBINE, only the last data source passwords take effect. All data sources must have the same DBA password.
In the new system, the DBA sections of all data sources in a JOIN or COMBINE are examined. If DBAFILE is included in a Master File, then its passwords and restrictions are read. To make the DBA section of a data source active in a JOIN list or COMBINE, specify DBAFILE for that data source.
After you start to use the new system, convert all of your Master Files. For Database Administrators who want to convert existing systems but do not want a separate physical DBAFILE, the DBAFILE attribute can specify the data source itself.
Connecting to an Existing DBA System With DBAFILE
FILENAME=SEVEN,
SEGNAME=..
FIELDNAME=...
.
.
.
END
DBA=ABC,DBAFILE=SEVEN,$ (OR DBAFILE= ,$)
PASS=...
PASS=...
Combining Applications With DBAFILE
Since each data source now contributes its own restrictions, you can JOIN and COMBINE data sources that come from different applications and have different user passwords. The only requirement is a valid password for each data source. You can therefore grant access rights for one application to an application under the control of a different DBA by assigning a password in your system.
You can assign screening conditions to a data source that are automatically applied to any report request that accesses the data source. See the Creating Reports With ibi™ WebFOCUS®LanguageCreating Reports With ibi™ WebFOCUS® Language manual for details.