Upload
dale-schneider
View
37
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Restricting Access To a File. Walter Brengel June, 2008. Restricting Access to a File AGENDA. DBA What Is It? How To Implement? Limitations DBA File FILTERs How They Differ From DBA How To Use Dynamic Filtering. Restricting Access to a File WebFOCUS/FOCUS SECURITY. - PowerPoint PPT Presentation
Citation preview
Copyright 2007, Information Builders. Slide 1
Restricting Access To a File
Walter BrengelJune, 2008
Copyright 2007, Information Builders. Slide 2
Restricting Access to a FileAGENDA
DBA What Is It? How To Implement? Limitations DBA File
FILTERs How They Differ From DBA How To Use Dynamic Filtering
Copyright 2007, Information Builders. Slide 3
Restricting Access to a FileWebFOCUS/FOCUS SECURITY
Any Data Source Can Be Protected For Reporting. Implemented With The DBA Attributes In MFD, And
SET PASS = PASSWORD. Coded In The Master File Description Or Focus Synonym (MFD).
FILENAME = PERS, SUFFIX = FILE TYPE,$
…
END
DBA=DBAVALUE,$
USER=USER ,ACCESS=ACCESS RIGHTS, $ Limits The Records That A User Can Read Or Update In A
File/Table. Can Be Used As The Only Security Or Supplement Existing
Security (Such As RACF).
Copyright 2007, Information Builders. Slide 4
Restricting Access to a FileWebFOCUS/FOCUS Security
DBA Security Specifies : The Password For The Database Administrator, With Unlimited
Access To The Data Source. Password Used To Encrypt/Decrypt The Master File. The Password(s) Of FOCUS Users Granted Access To A Data
Source. The DEFAULT Password Of A User Upon Entering FOCUS/WEBFOCUS Is Blank (‘ ‘).
User Password Information Contains: The Type Of Access The User Is Granted. Restrictions On That Data The Segments And Fields User Is Not Permitted To Retrieve. Values Which Become Automatic ‘Filters’ On The Data.
Copyright 2007, Information Builders. Slide 5
Restricting Access to a FileWebFOCUS/FOCUS Security
DBA=JONESABC,$
USER=SUPER ,ACCESS=RW, $
USER= ‘ ‘,ACCESS=R,RESTRICT=VALUE,
NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$
USER=HR ,ACCESS=R ,RESTRICT=SEGMENT, NAME=FUNDTRAN ,$
USER=MISAdmin, ACCESS=W, RESTRICT=VALUE, NAME=SALTEST,
VALUE=INCREASE+SALARY GE SALARY,$
ACCESS=R, RESTRICT=VALUE,
NAME=SYSTEM,VALUE=DEPARTMENT EQ ‘MIS’,$
Copyright 2007, Information Builders. Slide 6
Restricting Access to a FileWebFOCUS/FOCUS Security
Data Base Administrator - DBA=JONESABC,$
Every Data Source Having Access Limits Must Have A DBA. Groups Of Cross-referenced Data Sources (Or Files To Be Combined
Together), Must Have The Same DBA Value. Partitioned FOCUS/XFOCUS Data Sources, Which Are Read Together
In The Use Command Or Through An Access File Must Have The Same DBA Value.
The DBA Has Unlimited Access To The Data Source And All Cross-referenced Data Sources
You Cannot Encrypt And Decrypt Master Files Or Restrict Existing Data Sources Without The DBA Password.
Copyright 2007, Information Builders. Slide 7
Restricting Access to a FileWebFOCUS/FOCUS Security
USER Access to Data
USER = name
Name Is A Password Of Up To 64 Characters For The User. The Password Can Include Special Characters.
If The Password Contains Blanks, It Must Be Enclosed In Single Quotation Marks.
Passwords Are Case Sensitive SET DBACSENSITIV = ON
Or Case Insensitive SET DBACSENSITIV = OFF
Copyright 2007, Information Builders. Slide 8
Restricting Access to a FileWebFOCUS/FOCUS Security
Non-Overridable User Passwords SET PERMPASS = password
The PERMPASS Parameter Establishes A User Password That Remains In Effect Throughout A Session Or Connection.
The User Cannot Issue The SET PASS or SET USER Command To Change To A User Password With Different Security Rules. Any Attempt To Do So Generates The Following Message:
Permanent PASS Is In Effect. Your PASS Will Not Be Honored.
VALUE WAS NOT CHANGED FOCUS Passwords May Be Set In MVS Via The FOCUSID Exit, Which Sets
The User Password Based On RACF/ACF2/TOP SECRET Or Customer Specific Rules.
Returned Passwords Of 8 Characters Are Non-overridable. Returned Passwords Of Less Than 8 Characters Ending In . (Period) Are
Non-overridable.
Copyright 2007, Information Builders. Slide 9
Restricting Access to a FileWebFOCUS/FOCUS Security
ACCESS attribute
USER=password, ACCESS=RW,$
ACCESS=R Read-Only (TABLE/TABLEF/MATCH FILE) ACCESS=W Write Only (MODIFY/MAINTAIN) ACCESS=RW Read/Write (All FOCUS Commands) ACCESS=U Update Only (MODIFY/MAINTAIN, But No
New Records/Rows Will Be Included).
Copyright 2007, Information Builders. Slide 10
Restricting Access to a FileWebFOCUS/FOCUS Security
RESTRICT attributeUSER=name, ACCESS=access, RESTRICT=level, NAME=levelname,
[VALUE=test],$
FIELD - Specifies That The User Cannot Access The Named Fields
SEGMENT - Specifies That The User Cannot Access The Named Segments
PROGRAM - Specifies That The Program Named With The NAME Parameter Will Be Called Whenever The User Uses The Data Source .
SAME - Specifies That The User Has The Same Restrictions As The User Named In The NAME Parameter.
Noprint - Specifies That The Field Named In The Name Parameter Can Be Mentioned In A Request Statement, But Will Show Default Values Of Blank Or Zero.
This Option Is Not Supported With Relational Data Sources.
Copyright 2007, Information Builders. Slide 11
Restricting Access to a FileWebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=name,VALUE=test
ACCESS=R NAME = SYSTEM - The Test Specified In VALUE Will Be Applied For
Any Report Request Against The File. NAME = segname - The Test Specified In VALUE Will Be Applied For
Any Report Request That Requires The Segment Named. VALUE = test - Generates IF Test , So Must Be Of The Form:
field relation value [OR value …]
Copyright 2007, Information Builders. Slide 12
Restricting Access to a FileWebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=name,VALUE=test
ACCESS=W NAME=segname - The Test Is Applied Prior To Any UPDATE /
INCLUDE At That Segment Level NAME=testname - The Test Is Applied At Transaction Input As A
“Global” VALIDATE VALUE= test - Becomes VALIDATE Name/I1 = Testname;
Return Of 0 Fails The Validation, Anything Else Passes.
Copyright 2007, Information Builders. Slide 13
Restricting Access to a FileWebFOCUS/FOCUS Security
DBAFILE - Security Information in a Central Master File
DBAFILE Attribute Places All Passwords And Restrictions For Multiple Master Files In One Central File.
Each Individual Master File Points To This Central Control File. Groups Of Master Files With The Same DBA Password May Share A
Common DBAFILE Which Itself Has The Same DBA Password.
Benefits: Passwords Only Have To Be Stored Once When They Are Applicable
To A Group Of Data Sources Data Sources With Different User Passwords Can Be JOINed or
COMBINEd With Applicable Passwords Implemented.
Copyright 2007, Information Builders. Slide 14
Restricting Access to a FileWebFOCUS/FOCUS Security
FILE=filename …
END
DBA=dbaname, DBAFILE=filename ,$
Where:
dbaname Is the same as the dbaname in the central file.
filename Is the name of the central file.
Copyright 2007, Information Builders. Slide 15
Restricting Access to a FileWebFOCUS/FOCUS Security
FILENAME=EMPLOYEE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$
EMPLOYEE MASTER
FILENAME=JOBFILE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$
JOBFILE MASTER
FILENAME=EDUCFILE,SUFFIX=FOC,$….ENDDBA=JONESABC, DBAFILE=DBAF4,$
EDUCFILE MASTER
Copyright 2007, Information Builders. Slide 16
Restricting Access to a FileWebFOCUS/FOCUS Security
FILENAME=DBAF4,SUFFIX=FOC,$SEGNAME=ONE,SEGTYPE=S1 FIELD=DUMMY,,A1,$ENDDBA=JONESABC,$USER=ADMIN,ACCESS=R,$USER=ADMIN2,ACCESS=R,$USER=SUPER ,ACCESS=RW,$
USER=,ACCESS=R,RESTRICT=VALUE,
NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$
FILENAME=JOBFILE,$USER=JOBADMIN,ACCESS=W,$
FILENAME=EDUCFILE,$USER=EDADMIN,ACCESS=W,$
DBAF4 MASTER
Copyright 2007, Information Builders. Slide 17
Restricting Access to a FileWebFOCUS/FOCUS Security
Limitations
ACCESS = R Must Be “IF” field relation value [OR value…]
ACCESS = W Must Be Phrased As Boolean (True/False)
Expression For Validate.
MASTER Must Be Encrypted Or All DBA Is Viewable
Changes To MFD’s Are Not Always Possible
Large Number Of Restrictions Becomes Difficult
Alternatives
IF Rule May Be Avoided With DEFINE In MASTER, And VALUE Restriction On DEFINE Field
For Security WITHOUT A MFD Change, Use FILTER FILE
Copyright 2007, Information Builders. Slide 18
Restricting Access to a FileWebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=TEST,
ACCESS= NAME=
RW DEPARTMENT EQ ‘MIS’ R RECORDLIMIT EQ 10W RECORDLIMIT EQ 10W CSAL * 1.10 LE 100000 R CSAL * 1.10 LE 100000W DEPARTMENT EQ ‘MIS’ AND CSAL GT 100000R DEPARTMENT EQ ‘MIS’ AND CSAL GT100000
VALID
INVALIDVALID
VALID
VALIDINVALID
INVALID
Copyright 2007, Information Builders. Slide 19
Restricting Access to a FileFILTER FILE
Restricts Access To Data Without Specifying Rules In The Master File.
DEFINITIONS At File Containing If Or Where Criteria.
Each “Filter” Can Be Activated Or Deactivated.
Active “Filters” Are In Effect For Any Request Against A File.
Can Be Built Within The Session, Or As Part Of Profile Processing For Dynamic Restrictions.
May Use &Variables For Selection Of Security
Copyright 2007, Information Builders. Slide 20
Restricting Access to a FileWebFOCUS/FOCUS Security
Syntax:
FILTER FILE filename [CLEAR|ADD][filter-defines;]NAME=filtername1 [,DESC=text]Where or if phrases...NAME=filternamen [,DESC=text]Where or if phrasesEND
Copyright 2007, Information Builders. Slide 21
Restricting Access to a FileWebFOCUS/FOCUS Security
FILTER ACTIVATION
SET FILTER= {*|xx[ yy zz]} IN file {ON|OFF}
Where:* Specifies ALL Filters For Specified Sourcexx yy zz Named Filters For Specified SourceON/OFF Activates Or Deactivates Specified Filter(s)
Copyright 2007, Information Builders. Slide 22
Restricting Access to a FileWebFOCUS/FOCUS Security
Example
FILTER FILE EMPDATAINCREASE/D7 = IF CJC EQ ‘B01’ THEN .20 ELSE 0;NAME=TEST1, WHERE INCREASE + SALARY GT SALARY;NAME= MIS, IF DEPARTMENT EQ ‘MIS’END
SET FILTER = TEST1 IN EMPDATA ON
Copyright 2007, Information Builders. Slide 23
Restricting Access to a FileWebFOCUS/FOCUS Security
Special Considerations
FILTER Are Valid For The Structure At The Time The FILTER FILE Is Issued.
JOIN Will Clear All Filters Declared For Host File Prior To The Join JOIN CLEAR Will Clear All FILTERS Declared For Host File AFTER
The JOIN Was Issued. SET KEEPFILTERS=On
Will Retain Filters Regardless Of Join Active Filters For A Cross-referenced File Are In Effect, And
Need Not Be Declared For The JOIN Structure.
Copyright 2007, Information Builders. Slide 24
Restricting Access to a FileWebFOCUS/FOCUS Security
Dynamic Filters
USERID WHERETEST ------ --------- WHERE RECORDLIMIT EQ 5 HR1 WHERE (CSAL * 1.1) LE 100000 HR2 WHERE DEPARTMENT EQ 'MIS' AND CSAL GT 100000 MIS WHERE DEPARTMENT EQ 'MIS' NEWEMP WHERE HIRE_DATE GE '19800101' SUPER WHERE DEPARTMENT NE ' ' U1 WHERE EMP_ID EQ &USERID
FILE=SECURITY,SUFFIX=FOC,SEGNAME=ONE,SEGTYPE=S0FIELD=USERID,,A8,$FIELD=WHERETEST,,A80,$ENDDBA=________,$
Copyright 2007, Information Builders. Slide 25
Restricting Access to a File FOCPARM/EDASPROF
-SET &USERID = GETUSER(‘A8’);FILEDEF SCE DISK SCE.FEX -SET &USERID1 = IF &USERID EQ ‘IBIWXB’ THEN ‘SUPER’- ELSE IF &USERID EQ ‘IBICJP’ THEN ‘MIS’ ELSE ‘ ‘;SET PASS=________TABLE FILE SECURITYPRINT WHERETESTWHERE USERID EQ ‘USERID1’ON TABLE SAVE AS SCEEND-RUNSET PASS = ‘ ‘FILTER FILE EMPDATANAME=SECURITY,-INCLUDE SCEENDSET FILTER =SECURITY IN EMPDATA ON
Copyright 2007, Information Builders. Slide 26
Restricting Access to a FileUSERID = IBIWXB (SUPER)
EMP_ID DEPARTMENT LAST_NAME FIRST_NAME------ ---------- --------- ----------071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN 123764317 PRODUCTION IRVING JOAN 126724188 PRODUCTION ROMANS ANTHONY 219984371 MIS MCCOY JOHN 326179357 MIS BLACKWOOD ROSEMARIE 451123478 PRODUCTION MCKNIGHT ROGER 543729165 MIS GREENSPAN MARY 818692173 MIS CROSS BARBARA
Copyright 2007, Information Builders. Slide 27
Restricting Access to a FileUSERID = IBINMR (‘ ‘)
PAGE 1 EMP_ID DEPARTMENT LAST_NAME FIRST_NAME ------ ---------- --------- ---------- 071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN
Copyright 2007, Information Builders. Slide 28
Review
DBA What Is It? How To Implement? Limitations DBA File
FILTERs How They Differ From DBA How To Use Dynamic Filtering
Copyright 2007, Information Builders. Slide 29
Questions