Title of Your Presentation

Transcript Title of Your Presentation

Restricting Access To a File
Walter Brengel
June, 2008
Copyright 2007, Information Builders. Slide 1
Restricting Access to a File
AGENDA
 DBA
 What Is It?
 How To Implement?
 Limitations
 DBA File
 FILTERs
 How They Differ From DBA
 How To Use
 Dynamic Filtering
Copyright 2007, Information Builders. Slide 2
Restricting Access to a File
WebFOCUS/FOCUS SECURITY
 Any Data Source Can Be Protected For Reporting.
 Implemented With The DBA Attributes In MFD, And



SET PASS = PASSWORD.
Coded In The Master File Description Or Focus Synonym (MFD).
FILENAME = PERS, SUFFIX = FILE TYPE,$
…
END
DBA=DBAVALUE,$
USER=USER ,ACCESS=ACCESS RIGHTS, $
Limits The Records That A User Can Read Or Update In A
File/Table.
Can Be Used As The Only Security Or Supplement Existing
Security (Such As RACF).
Copyright 2007, Information Builders. Slide 3
Restricting Access to a File
WebFOCUS/FOCUS Security
 DBA Security Specifies :
 The Password For The Database Administrator, With Unlimited


Access To The Data Source.
Password Used To Encrypt/Decrypt The Master File.
The Password(s) Of FOCUS Users Granted Access To A Data
Source. The DEFAULT Password Of A User Upon Entering
FOCUS/WEBFOCUS Is Blank (‘ ‘).
 User Password Information Contains:
 The Type Of Access The User Is Granted.
 Restrictions On That Data
 The Segments And Fields User Is Not Permitted To Retrieve.
 Values Which Become Automatic ‘Filters’ On The Data.
Copyright 2007, Information Builders. Slide 4
Restricting Access to a File
WebFOCUS/FOCUS Security
DBA=JONESABC,$
USER=SUPER ,ACCESS=RW, $
USER= ‘ ‘,ACCESS=R,RESTRICT=VALUE,
NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$
USER=HR ,ACCESS=R ,RESTRICT=SEGMENT, NAME=FUNDTRAN ,$
USER=MISAdmin, ACCESS=W, RESTRICT=VALUE, NAME=SALTEST,
VALUE=INCREASE+SALARY GE SALARY,$
ACCESS=R, RESTRICT=VALUE,
NAME=SYSTEM,VALUE=DEPARTMENT EQ ‘MIS’,$
Copyright 2007, Information Builders. Slide 5
Restricting Access to a File
WebFOCUS/FOCUS Security
Data Base Administrator - DBA=JONESABC,$
 Every Data Source Having Access Limits Must Have A DBA.
 Groups Of Cross-referenced Data Sources (Or Files To Be Combined



Together), Must Have The Same DBA Value.
Partitioned FOCUS/XFOCUS Data Sources, Which Are Read Together
In The Use Command Or Through An Access File Must Have The
Same DBA Value.
The DBA Has Unlimited Access To The Data Source And All Crossreferenced Data Sources
You Cannot Encrypt And Decrypt Master Files Or Restrict Existing
Data Sources Without The DBA Password.
Copyright 2007, Information Builders. Slide 6
Restricting Access to a File
WebFOCUS/FOCUS Security
USER Access to Data
USER = name
 Name Is A Password Of Up To 64 Characters For The User.
The Password Can Include Special Characters.
 If The Password Contains Blanks, It Must Be Enclosed In
Single Quotation Marks.
 Passwords Are Case Sensitive
 SET DBACSENSITIV = ON
Or Case Insensitive
 SET DBACSENSITIV = OFF
Copyright 2007, Information Builders. Slide 7
Restricting Access to a File
WebFOCUS/FOCUS Security


Non-Overridable User Passwords
SET PERMPASS = password
 The PERMPASS Parameter Establishes A User Password That Remains
In Effect Throughout A Session Or Connection.
 The User Cannot Issue The SET PASS or SET USER Command To
Change To A User Password With Different Security Rules. Any Attempt
To Do So Generates The Following Message:
Permanent PASS Is In Effect. Your PASS Will Not Be Honored.
VALUE WAS NOT CHANGED
FOCUS Passwords May Be Set In MVS Via The FOCUSID Exit, Which Sets
The User Password Based On RACF/ACF2/TOP SECRET Or Customer
Specific Rules.
 Returned Passwords Of 8 Characters Are Non-overridable.
 Returned Passwords Of Less Than 8 Characters Ending In . (Period) Are
Non-overridable.
Copyright 2007, Information Builders. Slide 8
Restricting Access to a File
WebFOCUS/FOCUS Security
ACCESS attribute
USER=password, ACCESS=RW,$
 ACCESS=R
 ACCESS=W
 ACCESS=RW
 ACCESS=U
Read-Only (TABLE/TABLEF/MATCH FILE)
Write Only (MODIFY/MAINTAIN)
Read/Write (All FOCUS Commands)
Update Only (MODIFY/MAINTAIN, But No
New Records/Rows Will Be Included).
Copyright 2007, Information Builders. Slide 9
Restricting Access to a File
WebFOCUS/FOCUS Security
RESTRICT attribute
USER=name, ACCESS=access, RESTRICT=level,
NAME=levelname,[VALUE=test],$
 FIELD
- Specifies That The User Cannot Access The Named Fields
 SEGMENT - Specifies That The User Cannot Access The Named



Segments
PROGRAM - Specifies That The Program Named With The NAME
Parameter Will Be Called Whenever The User Uses The
Data Source .
SAME
- Specifies That The User Has The Same Restrictions As The
User Named In The NAME Parameter.
Noprint Specifies That The Field Named In The Name Parameter
Can Be Mentioned In A Request Statement, But Will Show
Default Values Of Blank Or Zero.
This Option Is Not Supported With Relational Data Sources.
Copyright 2007, Information Builders. Slide 10
Restricting Access to a File
WebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=name,VALUE=test
 ACCESS=R
 NAME = SYSTEM - The Test Specified In VALUE Will Be Applied For


Any Report Request Against The File.
NAME = segname - The Test Specified In VALUE Will Be Applied For
Any Report Request That Requires The Segment Named.
VALUE = test
- Generates IF Test , So Must Be Of The Form:
field relation value [OR value …]
Copyright 2007, Information Builders. Slide 11
Restricting Access to a File
WebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=name,VALUE=test
 ACCESS=W
 NAME=segname - The Test Is Applied Prior To Any UPDATE /


INCLUDE At That Segment Level
NAME=testname - The Test Is Applied At Transaction Input As A
“Global” VALIDATE
VALUE= test
- Becomes VALIDATE Name/I1 = Testname;
Return Of 0 Fails The Validation, Anything Else Passes.
Copyright 2007, Information Builders. Slide 12
Restricting Access to a File
WebFOCUS/FOCUS Security
DBAFILE - Security Information in a Central Master File
 DBAFILE Attribute Places All Passwords And Restrictions For


Multiple Master Files In One Central File.
Each Individual Master File Points To This Central Control File.
Groups Of Master Files With The Same DBA Password May Share A
Common DBAFILE Which Itself Has The Same DBA Password.
Benefits:
 Passwords Only Have To Be Stored Once When They Are Applicable
To A Group Of Data Sources
 Data Sources With Different User Passwords Can Be JOINed or
COMBINEd With Applicable Passwords Implemented.
Copyright 2007, Information Builders. Slide 13
Restricting Access to a File
WebFOCUS/FOCUS Security
FILE=filename …
END
DBA=dbaname, DBAFILE=filename ,$
Where:
dbaname Is the same as the dbaname in the central file.
filename Is the name of the central file.
Copyright 2007, Information Builders. Slide 14
Restricting Access to a File
WebFOCUS/FOCUS Security
EMPLOYEE MASTER
FILENAME=EMPLOYEE,SUFFIX=FOC,$
….
END
DBA=JONESABC, DBAFILE=DBAF4,$
JOBFILE MASTER
FILENAME=JOBFILE,SUFFIX=FOC,$
….
END
DBA=JONESABC, DBAFILE=DBAF4,$
EDUCFILE MASTER
FILENAME=EDUCFILE,SUFFIX=FOC,$
….
END
DBA=JONESABC, DBAFILE=DBAF4,$
Copyright 2007, Information Builders. Slide 15
Restricting Access to a File
WebFOCUS/FOCUS Security
DBAF4 MASTER
FILENAME=DBAF4,SUFFIX=FOC,$
SEGNAME=ONE,SEGTYPE=S1
FIELD=DUMMY,,A1,$
END
DBA=JONESABC,$
USER=ADMIN,ACCESS=R,$
USER=ADMIN2,ACCESS=R,$
USER=SUPER ,ACCESS=RW,$
USER=,ACCESS=R,RESTRICT=VALUE,
NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$
FILENAME=JOBFILE,$
USER=JOBADMIN,ACCESS=W,$
FILENAME=EDUCFILE,$
USER=EDADMIN,ACCESS=W,$
Copyright 2007, Information Builders. Slide 16
Restricting Access to a File
WebFOCUS/FOCUS Security
 Limitations
 ACCESS = R Must Be “IF” field relation value [OR value…]
 ACCESS = W Must Be Phrased As Boolean (True/False)
Expression For Validate.
 MASTER Must Be Encrypted Or All DBA Is Viewable
 Changes To MFD’s Are Not Always Possible
 Large Number Of Restrictions Becomes Difficult
 Alternatives
 IF Rule May Be Avoided With DEFINE In MASTER, And VALUE
Restriction On DEFINE Field
 For Security WITHOUT A MFD Change, Use FILTER FILE
Copyright 2007, Information Builders. Slide 17
Restricting Access to a File
WebFOCUS/FOCUS Security
RESTRICT=VALUE,NAME=TEST,
ACCESS=
NAME=
RW
R
W
W
R
W
DEPARTMENT EQ ‘MIS’
RECORDLIMIT EQ 10
RECORDLIMIT EQ 10
CSAL * 1.10 LE 100000
CSAL * 1.10 LE 100000
DEPARTMENT EQ ‘MIS’ AND
CSAL GT 100000
DEPARTMENT EQ ‘MIS’ AND CSAL
GT100000
R
VALID
VALID
INVALID
VALID
INVALID
VALID
INVALID
Copyright 2007, Information Builders. Slide 18
Restricting Access to a File
FILTER FILE
 Restricts Access To Data Without Specifying Rules In
The Master File.
 DEFINITIONS At File
Containing If Or Where Criteria.
 Each “Filter” Can Be Activated Or Deactivated.
 Active
“Filters” Are In Effect For Any Request Against
A File.
 Can Be Built Within The Session, Or As Part Of Profile
Processing For Dynamic Restrictions.
 May Use &Variables For Selection Of Security
Copyright 2007, Information Builders. Slide 19
Restricting Access to a File
WebFOCUS/FOCUS Security
Syntax:
FILTER FILE filename [CLEAR|ADD]
[filter-defines;]
NAME=filtername1 [,DESC=text]
Where or if phrases
.
.
.
NAME=filternamen [,DESC=text]
Where or if phrases
END
Copyright 2007, Information Builders. Slide 20
Restricting Access to a File
WebFOCUS/FOCUS Security
FILTER ACTIVATION
SET FILTER= {*|xx[ yy zz]} IN file {ON|OFF}
Where:
*
xx yy zz
ON/OFF
Specifies ALL Filters For Specified Source
Named Filters For Specified Source
Activates Or Deactivates Specified Filter(s)
Copyright 2007, Information Builders. Slide 21
Restricting Access to a File
WebFOCUS/FOCUS Security
Example
FILTER FILE EMPDATA
INCREASE/D7 = IF CJC EQ ‘B01’ THEN .20 ELSE 0;
NAME=TEST1, WHERE INCREASE + SALARY GT SALARY;
NAME= MIS, IF DEPARTMENT EQ ‘MIS’
END
SET FILTER = TEST1 IN EMPDATA ON
Copyright 2007, Information Builders. Slide 22
Restricting Access to a File
WebFOCUS/FOCUS Security
Special Considerations
 FILTER Are Valid For The Structure At The Time The FILTER FILE Is



Issued.
JOIN Will Clear All Filters Declared For Host File Prior To The Join
JOIN CLEAR Will Clear All FILTERS Declared For Host File AFTER
The JOIN Was Issued.
SET KEEPFILTERS=On
 Will Retain Filters Regardless Of Join
 Active Filters For A Cross-referenced File Are In Effect, And Need
Not Be Declared For The JOIN Structure.
Copyright 2007, Information Builders. Slide 23
Restricting Access to a File
WebFOCUS/FOCUS Security
Dynamic Filters
FILE=SECURITY,SUFFIX=FOC,
SEGNAME=ONE,SEGTYPE=S0
FIELD=USERID,,A8,$
FIELD=WHERETEST,,A80,$
END
DBA=________,$
USERID
-----HR1
HR2
MIS
NEWEMP
SUPER
U1
WHERETEST
--------WHERE RECORDLIMIT EQ 5
WHERE (CSAL * 1.1) LE 100000
WHERE DEPARTMENT EQ 'MIS'
AND CSAL GT 100000
WHERE DEPARTMENT EQ 'MIS'
WHERE HIRE_DATE GE '19800101'
WHERE DEPARTMENT NE ' '
WHERE EMP_ID EQ &USERID
Copyright 2007, Information Builders. Slide 24
Restricting Access to a File
FOCPARM/EDASPROF
-SET &USERID = GETUSER(‘A8’);
FILEDEF SCE DISK SCE.FEX
-SET &USERID1 = IF &USERID EQ ‘IBIWXB’ THEN ‘SUPER’
- ELSE IF &USERID EQ ‘IBICJP’ THEN ‘MIS’ ELSE ‘ ‘;
SET PASS=________
TABLE FILE SECURITY
PRINT WHERETEST
WHERE USERID EQ ‘USERID1’
ON TABLE SAVE AS SCE
END
-RUN
SET PASS = ‘ ‘
FILTER FILE EMPDATA
NAME=SECURITY,
-INCLUDE SCE
END
SET FILTER =SECURITY IN EMPDATA ON
Copyright 2007, Information Builders. Slide 25
Restricting Access to a File
USERID = IBIWXB (SUPER)
EMP_ID
-----071382660
112847612
117593129
119265415
119329144
123764317
126724188
219984371
326179357
451123478
543729165
818692173
DEPARTMENT
---------PRODUCTION
MIS
MIS
PRODUCTION
PRODUCTION
PRODUCTION
PRODUCTION
MIS
MIS
PRODUCTION
MIS
MIS
LAST_NAME
--------STEVENS
SMITH
JONES
SMITH
BANNING
IRVING
ROMANS
MCCOY
BLACKWOOD
MCKNIGHT
GREENSPAN
CROSS
FIRST_NAME
---------ALFRED
MARY
DIANE
RICHARD
JOHN
JOAN
ANTHONY
JOHN
ROSEMARIE
ROGER
MARY
BARBARA
Copyright 2007, Information Builders. Slide 26
Restricting Access to a File
USERID = IBINMR (‘ ‘)
PAGE
1
EMP_ID
-----071382660
112847612
117593129
119265415
119329144
DEPARTMENT
---------PRODUCTION
MIS
MIS
PRODUCTION
PRODUCTION
LAST_NAME
--------STEVENS
SMITH
JONES
SMITH
BANNING
FIRST_NAME
---------ALFRED
MARY
DIANE
RICHARD
JOHN
Copyright 2007, Information Builders. Slide 27
Review
 DBA
 What Is It?
 How To Implement?
 Limitations
 DBA File
 FILTERs
 How They Differ From DBA
 How To Use
 Dynamic Filtering
Copyright 2007, Information Builders. Slide 28
Questions
Copyright 2007, Information Builders. Slide 29

Title of Your Presentation

Transcript Title of Your Presentation

Directory