Copyright 2007, Information Builders. Slide 1 Restricting Access To a File Walter Brengel June, 2008

Copyright 2007, Information Builders. Slide 2 Restricting Access to a File AGENDA  DBA  What Is It?  How To Implement?  Limitations  DBA File  FILTERs  How They Differ From DBA  How To Use  Dynamic Filtering

Copyright 2007, Information Builders. Slide 3 Restricting Access to a File WebFOCUS/FOCUS SECURITY  Any Data Source Can Be Protected For Reporting.  Implemented With The DBA Attributes In MFD, And SET PASS = PASSWORD.  Coded In The Master File Description Or Focus Synonym (MFD). FILENAME = PERS, SUFFIX = FILE TYPE,$ … END DBA=DBAVALUE,$ USER=USER,ACCESS=ACCESS RIGHTS, $  Limits The Records That A User Can Read Or Update In A File/Table.  Can Be Used As The Only Security Or Supplement Existing Security (Such As RACF).

Copyright 2007, Information Builders. Slide 4 Restricting Access to a File WebFOCUS/FOCUS Security  DBA Security Specifies :  The Password For The Database Administrator, With Unlimited Access To The Data Source.  Password Used To Encrypt/Decrypt The Master File.  The Password(s) Of FOCUS Users Granted Access To A Data Source. The DEFAULT Password Of A User Upon Entering FOCUS/WEBFOCUS Is Blank (‘ ‘).  User Password Information Contains:  The Type Of Access The User Is Granted.  Restrictions On That Data  The Segments And Fields User Is Not Permitted To Retrieve.  Values Which Become Automatic ‘Filters’ On The Data.

Copyright 2007, Information Builders. Slide 5 Restricting Access to a File WebFOCUS/FOCUS Security DBA=JONESABC,$ USER=SUPER,ACCESS=RW, $ USER= ‘ ‘,ACCESS=R,RESTRICT=VALUE, NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$ USER=HR,ACCESS=R,RESTRICT=SEGMENT, NAME=FUNDTRAN,$ USER=MISAdmin, ACCESS=W, RESTRICT=VALUE, NAME=SALTEST, VALUE=INCREASE+SALARY GE SALARY,$ ACCESS=R, RESTRICT=VALUE, NAME=SYSTEM,VALUE=DEPARTMENT EQ ‘MIS’,$

Copyright 2007, Information Builders. Slide 6 Restricting Access to a File WebFOCUS/FOCUS Security Data Base Administrator - DBA=JONESABC,$  Every Data Source Having Access Limits Must Have A DBA.  Groups Of Cross-referenced Data Sources (Or Files To Be Combined Together), Must Have The Same DBA Value.  Partitioned FOCUS/XFOCUS Data Sources, Which Are Read Together In The Use Command Or Through An Access File Must Have The Same DBA Value.  The DBA Has Unlimited Access To The Data Source And All Cross- referenced Data Sources  You Cannot Encrypt And Decrypt Master Files Or Restrict Existing Data Sources Without The DBA Password.

Copyright 2007, Information Builders. Slide 7 Restricting Access to a File WebFOCUS/FOCUS Security USER Access to Data USER = name  Name Is A Password Of Up To 64 Characters For The User. The Password Can Include Special Characters.  If The Password Contains Blanks, It Must Be Enclosed In Single Quotation Marks.  Passwords Are Case Sensitive  SET DBACSENSITIV = ON Or Case Insensitive  SET DBACSENSITIV = OFF

Copyright 2007, Information Builders. Slide 8 Restricting Access to a File WebFOCUS/FOCUS Security Non-Overridable User Passwords  SET PERMPASS = password  The PERMPASS Parameter Establishes A User Password That Remains In Effect Throughout A Session Or Connection.  The User Cannot Issue The SET PASS or SET USER Command To Change To A User Password With Different Security Rules. Any Attempt To Do So Generates The Following Message: Permanent PASS Is In Effect. Your PASS Will Not Be Honored. VALUE WAS NOT CHANGED  FOCUS Passwords May Be Set In MVS Via The FOCUSID Exit, Which Sets The User Password Based On RACF/ACF2/TOP SECRET Or Customer Specific Rules.  Returned Passwords Of 8 Characters Are Non-overridable.  Returned Passwords Of Less Than 8 Characters Ending In. (Period) Are Non-overridable.

Copyright 2007, Information Builders. Slide 9 Restricting Access to a File WebFOCUS/FOCUS Security ACCESS attribute USER=password, ACCESS=RW,$  ACCESS=R Read-Only (TABLE/TABLEF/MATCH FILE)  ACCESS=W Write Only (MODIFY/MAINTAIN)  ACCESS=RW Read/Write (All FOCUS Commands)  ACCESS=U Update Only (MODIFY/MAINTAIN, But No New Records/Rows Will Be Included).

Copyright 2007, Information Builders. Slide 10 Restricting Access to a File WebFOCUS/FOCUS Security RESTRICT attribute USER=name, ACCESS=access, RESTRICT=level, NAME=levelname,[VALUE=test],$  FIELD - Specifies That The User Cannot Access The Named Fields  SEGMENT - Specifies That The User Cannot Access The Named Segments  PROGRAM - Specifies That The Program Named With The NAME Parameter Will Be Called Whenever The User Uses The Data Source.  SAME - Specifies That The User Has The Same Restrictions As The User Named In The NAME Parameter.  Noprint - Specifies That The Field Named In The Name Parameter Can Be Mentioned In A Request Statement, But Will Show Default Values Of Blank Or Zero. This Option Is Not Supported With Relational Data Sources.

Copyright 2007, Information Builders. Slide 11 Restricting Access to a File WebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=name,VALUE=test  ACCESS=R  NAME = SYSTEM - The Test Specified In VALUE Will Be Applied For Any Report Request Against The File.  NAME = segname - The Test Specified In VALUE Will Be Applied For Any Report Request That Requires The Segment Named.  VALUE = test - Generates IF Test, So Must Be Of The Form: field relation value [OR value …]

Copyright 2007, Information Builders. Slide 12 Restricting Access to a File WebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=name,VALUE=test  ACCESS=W  NAME=segname - The Test Is Applied Prior To Any UPDATE / INCLUDE At That Segment Level  NAME=testname - The Test Is Applied At Transaction Input As A “Global” VALIDATE  VALUE= test - Becomes VALIDATE Name/I1 = Testname; Return Of 0 Fails The Validation, Anything Else Passes.

Copyright 2007, Information Builders. Slide 13 Restricting Access to a File WebFOCUS/FOCUS Security DBAFILE - Security Information in a Central Master File  DBAFILE Attribute Places All Passwords And Restrictions For Multiple Master Files In One Central File.  Each Individual Master File Points To This Central Control File.  Groups Of Master Files With The Same DBA Password May Share A Common DBAFILE Which Itself Has The Same DBA Password. Benefits:  Passwords Only Have To Be Stored Once When They Are Applicable To A Group Of Data Sources  Data Sources With Different User Passwords Can Be JOINed or COMBINEd With Applicable Passwords Implemented.

Copyright 2007, Information Builders. Slide 14 Restricting Access to a File WebFOCUS/FOCUS Security FILE=filename … END DBA=dbaname, DBAFILE=filename,$ Where: dbaname Is the same as the dbaname in the central file. filename Is the name of the central file.

Copyright 2007, Information Builders. Slide 15 Restricting Access to a File WebFOCUS/FOCUS Security FILENAME=EMPLOYEE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ EMPLOYEE MASTER FILENAME=JOBFILE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ JOBFILE MASTER FILENAME=EDUCFILE,SUFFIX=FOC,$ …. END DBA=JONESABC, DBAFILE=DBAF4,$ EDUCFILE MASTER

Copyright 2007, Information Builders. Slide 16 Restricting Access to a File WebFOCUS/FOCUS Security FILENAME=DBAF4,SUFFIX=FOC,$ SEGNAME=ONE,SEGTYPE=S1 FIELD=DUMMY,,A1,$ END DBA=JONESABC,$ USER=ADMIN,ACCESS=R,$ USER=ADMIN2,ACCESS=R,$ USER=SUPER,ACCESS=RW,$ USER=,ACCESS=R,RESTRICT=VALUE, NAME=SYSTEM,VALUE=RECORDLIMIT EQ 50,$ FILENAME=JOBFILE,$ USER=JOBADMIN,ACCESS=W,$ FILENAME=EDUCFILE,$ USER=EDADMIN,ACCESS=W,$ DBAF4 MASTER

Copyright 2007, Information Builders. Slide 17 Restricting Access to a File WebFOCUS/FOCUS Security  Limitations  ACCESS = R Must Be “IF” field relation value [OR value…]  ACCESS = W Must Be Phrased As Boolean (True/False) Expression For Validate.  MASTER Must Be Encrypted Or All DBA Is Viewable  Changes To MFD’s Are Not Always Possible  Large Number Of Restrictions Becomes Difficult  Alternatives  IF Rule May Be Avoided With DEFINE In MASTER, And VALUE Restriction On DEFINE Field  For Security WITHOUT A MFD Change, Use FILTER FILE

Copyright 2007, Information Builders. Slide 18 Restricting Access to a File WebFOCUS/FOCUS Security RESTRICT=VALUE,NAME=TEST, ACCESS=NAME= RWDEPARTMENT EQ ‘MIS’ RRECORDLIMIT EQ 10 WRECORDLIMIT EQ 10 WCSAL * 1.10 LE RCSAL * 1.10 LE WDEPARTMENT EQ ‘MIS’ AND CSAL GT RDEPARTMENT EQ ‘MIS’ AND CSAL GT VALID INVALID VALID INVALID

Copyright 2007, Information Builders. Slide 19 Restricting Access to a File FILTER FILE  Restricts Access To Data Without Specifying Rules In The Master File.  DEFINITIONS At File Containing If Or Where Criteria.  Each “Filter” Can Be Activated Or Deactivated.  Active “Filters” Are In Effect For Any Request Against A File.  Can Be Built Within The Session, Or As Part Of Profile Processing For Dynamic Restrictions.  May Use &Variables For Selection Of Security

Copyright 2007, Information Builders. Slide 20 Restricting Access to a File WebFOCUS/FOCUS Security Syntax: FILTER FILE filename [CLEAR|ADD] [filter-defines;] NAME=filtername1 [,DESC=text] Where or if phrases. NAME=filternamen [,DESC=text] Where or if phrases END

Copyright 2007, Information Builders. Slide 21 Restricting Access to a File WebFOCUS/FOCUS Security FILTER ACTIVATION SET FILTER= {*|xx[ yy zz]} IN file {ON|OFF} Where: * Specifies ALL Filters For Specified Source xx yy zz Named Filters For Specified Source ON/OFF Activates Or Deactivates Specified Filter(s)

Copyright 2007, Information Builders. Slide 22 Restricting Access to a File WebFOCUS/FOCUS Security Example FILTER FILE EMPDATA INCREASE/D7 = IF CJC EQ ‘B01’ THEN.20 ELSE 0; NAME=TEST1, WHERE INCREASE + SALARY GT SALARY; NAME= MIS, IF DEPARTMENT EQ ‘MIS’ END SET FILTER = TEST1 IN EMPDATA ON

Copyright 2007, Information Builders. Slide 23 Restricting Access to a File WebFOCUS/FOCUS Security Special Considerations  FILTER Are Valid For The Structure At The Time The FILTER FILE Is Issued.  JOIN Will Clear All Filters Declared For Host File Prior To The Join  JOIN CLEAR Will Clear All FILTERS Declared For Host File AFTER The JOIN Was Issued.  SET KEEPFILTERS=On  Will Retain Filters Regardless Of Join  Active Filters For A Cross-referenced File Are In Effect, And Need Not Be Declared For The JOIN Structure.

Copyright 2007, Information Builders. Slide 24 Restricting Access to a File WebFOCUS/FOCUS Security Dynamic Filters USERID WHERETEST WHERE RECORDLIMIT EQ 5 HR1 WHERE (CSAL * 1.1) LE HR2 WHERE DEPARTMENT EQ 'MIS' AND CSAL GT MIS WHERE DEPARTMENT EQ 'MIS' NEWEMP WHERE HIRE_DATE GE ' ' SUPER WHERE DEPARTMENT NE ' ' U1 WHERE EMP_ID EQ &USERID FILE=SECURITY,SUFFIX=FOC, SEGNAME=ONE,SEGTYPE=S0 FIELD=USERID,,A8,$ FIELD=WHERETEST,,A80,$ END DBA=________,$

Copyright 2007, Information Builders. Slide 25 Restricting Access to a File FOCPARM/EDASPROF -SET &USERID = GETUSER(‘A8’); FILEDEF SCE DISK SCE.FEX -SET &USERID1 = IF &USERID EQ ‘IBIWXB’ THEN ‘SUPER’ - ELSE IF &USERID EQ ‘IBICJP’ THEN ‘MIS’ ELSE ‘ ‘; SET PASS=________ TABLE FILE SECURITY PRINT WHERETEST WHERE USERID EQ ‘USERID1’ ON TABLE SAVE AS SCE END -RUN SET PASS = ‘ ‘ FILTER FILE EMPDATA NAME=SECURITY, -INCLUDE SCE END SET FILTER =SECURITY IN EMPDATA ON

Copyright 2007, Information Builders. Slide 26 Restricting Access to a File USERID = IBIWXB (SUPER) EMP_ID DEPARTMENT LAST_NAME FIRST_NAME PRODUCTION STEVENS ALFRED MIS SMITH MARY MIS JONES DIANE PRODUCTION SMITH RICHARD PRODUCTION BANNING JOHN PRODUCTION IRVING JOAN PRODUCTION ROMANS ANTHONY MIS MCCOY JOHN MIS BLACKWOOD ROSEMARIE PRODUCTION MCKNIGHT ROGER MIS GREENSPAN MARY MIS CROSS BARBARA

Copyright 2007, Information Builders. Slide 27 Restricting Access to a File USERID = IBINMR (‘ ‘) PAGE 1 EMP_ID DEPARTMENT LAST_NAME FIRST_NAME PRODUCTION STEVENS ALFRED MIS SMITH MARY MIS JONES DIANE PRODUCTION SMITH RICHARD PRODUCTION BANNING JOHN

Copyright 2007, Information Builders. Slide 28 Review  DBA  What Is It?  How To Implement?  Limitations  DBA File  FILTERs  How They Differ From DBA  How To Use  Dynamic Filtering

Copyright 2007, Information Builders. Slide 29 Questions