1 / 29

Restricting Access To a File

Restricting Access To a File. Walter Brengel June, 2008. Restricting Access to a File AGENDA. DBA What Is It? How To Implement? Limitations DBA File FILTERs How They Differ From DBA How To Use Dynamic Filtering. Restricting Access to a File WebFOCUS/FOCUS SECURITY.

dale-schneider
Download Presentation

Restricting Access To a File

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Restricting Access To a File Walter Brengel June, 2008

  2. Restricting Access to a FileAGENDA • DBA • What Is It? • How To Implement? • Limitations • DBA File • FILTERs • How They Differ From DBA • How To Use • Dynamic Filtering

  3. Restricting Access to a FileWebFOCUS/FOCUS SECURITY • Any Data Source Can Be Protected For Reporting. • Implemented With The DBA Attributes In MFD, And SET PASS = PASSWORD. • Coded In The Master File Description Or Focus Synonym (MFD). FILENAME = PERS, SUFFIX = FILE TYPE,$ … END DBA=DBAVALUE,$ USER=USER ,ACCESS=ACCESS RIGHTS, $ • Limits The Records That A User Can Read Or Update In A File/Table. • Can Be Used As The Only Security Or Supplement Existing Security (Such As RACF).

  4. Restricting Access to a FileWebFOCUS/FOCUS Security • DBA Security Specifies : • The Password For The Database Administrator, With Unlimited Access To The Data Source. • Password Used To Encrypt/Decrypt The Master File. • The Password(s) Of FOCUS Users Granted Access To A Data Source. The DEFAULT Password Of A User Upon Entering FOCUS/WEBFOCUS Is Blank (‘ ‘). • User Password Information Contains: • The Type Of Access The User Is Granted. • Restrictions On That Data • The Segments And Fields User Is Not Permitted To Retrieve. • Values Which Become Automatic ‘Filters’ On The Data.

  5. Restricting Access to a FileWebFOCUS/FOCUS Security DBA=JONESABC,$ USER=SUPER ,ACCESS=RW, $ USER= ‘ ‘,ACCESS=R,RESTRICT=VALUE, NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$ USER=HR ,ACCESS=R ,RESTRICT=SEGMENT, NAME=FUNDTRAN ,$ USER=MISAdmin, ACCESS=W, RESTRICT=VALUE, NAME=SALTEST, VALUE=INCREASE+SALARY GE SALARY,$ ACCESS=R, RESTRICT=VALUE, NAME=SYSTEM,VALUE=DEPARTMENT EQ ‘MIS’,$

  6. Restricting Access to a FileWebFOCUS/FOCUS Security Data Base Administrator - DBA=JONESABC,$ • Every Data Source Having Access Limits Must Have A DBA. • Groups Of Cross-referenced Data Sources (Or Files To Be Combined Together), Must Have The Same DBA Value. • Partitioned FOCUS/XFOCUS Data Sources, Which Are Read Together In The Use Command Or Through An Access File Must Have The Same DBA Value. • The DBA Has Unlimited Access To The Data Source And All Cross-referenced Data Sources • You Cannot Encrypt And Decrypt Master Files Or Restrict Existing Data Sources Without The DBA Password.

  7. Restricting Access to a FileWebFOCUS/FOCUS Security USER Access to Data USER = name • Name Is A Password Of Up To 64 Characters For The User. The Password Can Include Special Characters. • If The Password Contains Blanks, It Must Be Enclosed In Single Quotation Marks. • Passwords Are Case Sensitive • SET DBACSENSITIV = ON Or Case Insensitive • SET DBACSENSITIV = OFF

  8. Restricting Access to a FileWebFOCUS/FOCUS Security Non-Overridable User Passwords • SET PERMPASS = password • The PERMPASS Parameter Establishes A User Password That Remains In Effect Throughout A Session Or Connection. • The User Cannot Issue The SET PASS or SET USER Command To Change To A User Password With Different Security Rules. Any Attempt To Do So Generates The Following Message: Permanent PASS Is In Effect. Your PASS Will Not Be Honored. VALUE WAS NOT CHANGED • FOCUS Passwords May Be Set In MVS Via The FOCUSID Exit, Which Sets The User Password Based On RACF/ACF2/TOP SECRET Or Customer Specific Rules. • Returned Passwords Of 8 Characters Are Non-overridable. • Returned Passwords Of Less Than 8 Characters Ending In . (Period) Are Non-overridable.

  9. Restricting Access to a FileWebFOCUS/FOCUS Security ACCESS attribute USER=password, ACCESS=RW,$ • ACCESS=R Read-Only (TABLE/TABLEF/MATCH FILE) • ACCESS=W Write Only (MODIFY/MAINTAIN) • ACCESS=RW Read/Write (All FOCUS Commands) • ACCESS=U Update Only (MODIFY/MAINTAIN, But No New Records/Rows Will Be Included).

  10. Restricting Access to a FileWebFOCUS/FOCUS Security RESTRICT attribute USER=name, ACCESS=access, RESTRICT=level, NAME=levelname,[VALUE=test],$ • FIELD - Specifies That The User Cannot Access The Named Fields • SEGMENT - Specifies That The User Cannot Access The Named Segments • PROGRAM - Specifies That The Program Named With The NAME Parameter Will Be Called Whenever The User Uses The Data Source . • SAME - Specifies That The User Has The Same Restrictions As The User Named In The NAME Parameter. • Noprint - Specifies That The Field Named In The Name Parameter Can Be Mentioned In A Request Statement, But Will Show Default Values Of Blank Or Zero. This Option Is Not Supported With Relational Data Sources.

  11. Restricting Access to a FileWebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=name,VALUE=test • ACCESS=R • NAME = SYSTEM - The Test Specified In VALUE Will Be Applied For Any Report Request Against The File. • NAME = segname - The Test Specified In VALUE Will Be Applied For Any Report Request That Requires The Segment Named. • VALUE = test - Generates IF Test , So Must Be Of The Form: field relation value [OR value …]

  12. Restricting Access to a FileWebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=name,VALUE=test • ACCESS=W • NAME=segname - The Test Is Applied Prior To Any UPDATE / INCLUDE At That Segment Level • NAME=testname - The Test Is Applied At Transaction Input As A “Global” VALIDATE • VALUE= test - Becomes VALIDATE Name/I1 = Testname; Return Of 0 Fails The Validation, Anything Else Passes.

  13. Restricting Access to a FileWebFOCUS/FOCUS Security DBAFILE - Security Information in a Central Master File • DBAFILE Attribute Places All Passwords And Restrictions For Multiple Master Files In One Central File. • Each Individual Master File Points To This Central Control File. • Groups Of Master Files With The Same DBA Password May Share A Common DBAFILE Which Itself Has The Same DBA Password. Benefits: • Passwords Only Have To Be Stored Once When They Are Applicable To A Group Of Data Sources • Data Sources With Different User Passwords Can Be JOINed or COMBINEd With Applicable Passwords Implemented.

  14. Restricting Access to a FileWebFOCUS/FOCUS Security FILE=filename … END DBA=dbaname, DBAFILE=filename ,$ Where: dbaname Is the same as the dbaname in the central file. filename Is the name of the central file.

  15. Restricting Access to a FileWebFOCUS/FOCUS Security FILENAME=EMPLOYEE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ EMPLOYEE MASTER FILENAME=JOBFILE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ JOBFILE MASTER FILENAME=EDUCFILE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ EDUCFILE MASTER

  16. Restricting Access to a FileWebFOCUS/FOCUS Security FILENAME=DBAF4,SUFFIX=FOC,$ SEGNAME=ONE,SEGTYPE=S1 FIELD=DUMMY,,A1,$ END DBA=JONESABC,$ USER=ADMIN,ACCESS=R,$ USER=ADMIN2,ACCESS=R,$ USER=SUPER ,ACCESS=RW,$ USER=,ACCESS=R,RESTRICT=VALUE, NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$ FILENAME=JOBFILE,$ USER=JOBADMIN,ACCESS=W,$ FILENAME=EDUCFILE,$ USER=EDADMIN,ACCESS=W,$ DBAF4 MASTER

  17. Restricting Access to a FileWebFOCUS/FOCUS Security • Limitations • ACCESS = R Must Be “IF” field relation value [OR value…] • ACCESS = W Must Be Phrased As Boolean (True/False) Expression For Validate. • MASTER Must Be Encrypted Or All DBA Is Viewable • Changes To MFD’s Are Not Always Possible • Large Number Of Restrictions Becomes Difficult • Alternatives • IF Rule May Be Avoided With DEFINE In MASTER, And VALUE Restriction On DEFINE Field • For Security WITHOUT A MFD Change, Use FILTER FILE

  18. Restricting Access to a FileWebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=TEST, ACCESS= NAME= RW DEPARTMENT EQ ‘MIS’ R RECORDLIMIT EQ 10 W RECORDLIMIT EQ 10 W CSAL * 1.10 LE 100000 R CSAL * 1.10 LE 100000 W DEPARTMENT EQ ‘MIS’ AND CSAL GT 100000 R DEPARTMENT EQ ‘MIS’ AND CSAL GT100000 VALID VALID INVALID VALID INVALID VALID INVALID

  19. Restricting Access to a FileFILTER FILE • Restricts Access To Data Without Specifying Rules In The Master File. • DEFINITIONS At File Containing If Or Where Criteria. • Each “Filter” Can Be Activated Or Deactivated. • Active “Filters” Are In Effect For Any Request Against A File. • Can Be Built Within The Session, Or As Part Of Profile Processing For Dynamic Restrictions. • May Use &Variables For Selection Of Security

  20. Restricting Access to a FileWebFOCUS/FOCUS Security Syntax: FILTER FILE filename [CLEAR|ADD] [filter-defines;] NAME=filtername1 [,DESC=text] Where or if phrases . . . NAME=filternamen [,DESC=text] Where or if phrases END

  21. Restricting Access to a FileWebFOCUS/FOCUS Security FILTER ACTIVATION SET FILTER= {*|xx[ yy zz]} IN file {ON|OFF} Where: * Specifies ALL Filters For Specified Source xx yy zz Named Filters For Specified Source ON/OFF Activates Or Deactivates Specified Filter(s)

  22. Restricting Access to a FileWebFOCUS/FOCUS Security Example FILTER FILE EMPDATA INCREASE/D7 = IF CJC EQ ‘B01’ THEN .20 ELSE 0; NAME=TEST1, WHERE INCREASE + SALARY GT SALARY; NAME= MIS, IF DEPARTMENT EQ ‘MIS’ END SET FILTER = TEST1 IN EMPDATA ON

  23. Restricting Access to a FileWebFOCUS/FOCUS Security Special Considerations • FILTER Are Valid For The Structure At The Time The FILTER FILE Is Issued. • JOIN Will Clear All Filters Declared For Host File Prior To The Join • JOIN CLEAR Will Clear All FILTERS Declared For Host File AFTER The JOIN Was Issued. • SET KEEPFILTERS=On • Will Retain Filters Regardless Of Join • Active Filters For A Cross-referenced File Are In Effect, And Need Not Be Declared For The JOIN Structure.

  24. Restricting Access to a FileWebFOCUS/FOCUS Security Dynamic Filters FILE=SECURITY,SUFFIX=FOC, SEGNAME=ONE,SEGTYPE=S0 FIELD=USERID,,A8,$ FIELD=WHERETEST,,A80,$ END DBA=________,$ USERID WHERETEST ------ --------- WHERE RECORDLIMIT EQ 5 HR1 WHERE (CSAL * 1.1) LE 100000 HR2 WHERE DEPARTMENT EQ 'MIS' AND CSAL GT 100000 MIS WHERE DEPARTMENT EQ 'MIS' NEWEMP WHERE HIRE_DATE GE '19800101' SUPER WHERE DEPARTMENT NE ' ' U1 WHERE EMP_ID EQ &USERID

  25. Restricting Access to a File FOCPARM/EDASPROF -SET &USERID = GETUSER(‘A8’); FILEDEF SCE DISK SCE.FEX -SET &USERID1 = IF &USERID EQ ‘IBIWXB’ THEN ‘SUPER’ - ELSE IF &USERID EQ ‘IBICJP’ THEN ‘MIS’ ELSE ‘ ‘; SET PASS=________ TABLE FILE SECURITY PRINT WHERETEST WHERE USERID EQ ‘USERID1’ ON TABLE SAVE AS SCE END -RUN SET PASS = ‘ ‘ FILTER FILE EMPDATA NAME=SECURITY, -INCLUDE SCE END SET FILTER =SECURITY IN EMPDATA ON

  26. Restricting Access to a FileUSERID = IBIWXB (SUPER) EMP_ID DEPARTMENT LAST_NAME FIRST_NAME ------ ---------- --------- ---------- 071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN 123764317 PRODUCTION IRVING JOAN 126724188 PRODUCTION ROMANS ANTHONY 219984371 MIS MCCOY JOHN 326179357 MIS BLACKWOOD ROSEMARIE 451123478 PRODUCTION MCKNIGHT ROGER 543729165 MIS GREENSPAN MARY 818692173 MIS CROSS BARBARA

  27. Restricting Access to a FileUSERID = IBINMR (‘ ‘) PAGE 1 EMP_ID DEPARTMENT LAST_NAME FIRST_NAME ------ ---------- --------- ---------- 071382660 PRODUCTION STEVENS ALFRED 112847612 MIS SMITH MARY 117593129 MIS JONES DIANE 119265415 PRODUCTION SMITH RICHARD 119329144 PRODUCTION BANNING JOHN

  28. Review • DBA • What Is It? • How To Implement? • Limitations • DBA File • FILTERs • How They Differ From DBA • How To Use • Dynamic Filtering

  29. Questions Thanks for Coming

More Related