HP 3000 Manuals HP 3000 Manuals
INFORM/V Security INFORM/V security allows you to limit the names of the databases, data sets, data elements, and Groups that are displayed in INFORM/V menus. If INFORM/V security is not established, all data dictionary entities are available for display. The data can still be protected, as the user will be prompted for passwords and lockwords for each data set or file accessed. However, these prompts occur after the report has been defined, and so the user has already viewed the names of all data elements in the Groups or data sets requested. If INFORM/V security is established, the user must supply the password when INFORM/V is first invoked. The passwords for individual entities can be embedded in the INFORM/V security structure, and so, once the user has supplied the INFORM/V password, he need not be prompted for any passwords when the report is produced. The two different situations are described graphically in Figure 11-19.Figure 11-19. The Value of INFORM/V Security To establish INFORM/V security, you establish an INFORM class for each kind of user. Each INFORM class is assigned a password, and all users in that class must supply the password when they run INFORM/V. Different INFORM classes (i.e., different passwords) are created for the different classes of users who require access to different data in the same dictionary. It is then necessary to tie the individual entities in the data dictionary to the INFORM classes that have been set up. To do this, INFORM/V security takes advantage of the complete security capabilities already available in DICTIONARY/V for IMAGE/V and TurboIMAGE. All data elements, files (data sets), and data bases are tied to the INFORM/V classes through the intermediate step of one or more IMAGE classes. One view of the kinds of relationships that are established is shown in Figure 11-20. INFORM/V goes to the data dictionary and checks to see that the password entered is valid. If the password is correct, INFORM/V then checks for the INFORM class number associated with that password. INFORM/V then checks all the IMAGE classes that are related to that INFORM class and builds an IMAGE class list. The information displayed on INFORM/V menus consists of the database files, Groups, and elements that are associated with the IMAGE classes on the IMAGE class list. The next subsection describes the simplest case of establishing INFORM/V security for a single database. For this discussion, it is assumed that no INFORM/V Groups have been established. The final discussion in this section then takes up the question of how to relate INFORM/V security to INFORM/V Groups, and explains how to establish security when Groups are drawn from multiple files and data sets. Establishing Security for a Database (Without Groups) If you want to allow users to access a database directly, without establishing INFORM/V Groups, but still want to use INFORM/V security, it is very simple to establish that security. The best plan is to establish a one-to-one correlation between the IMAGE class and the INFORM class. Figure 11-20 shows a simplified view of the relationships that are established. A single database serves two different classes of users, who require access to different data elements in the database. The database administrator establishes two INFORM classes and relates a single IMAGE class to each. The elements needed by each INFORM class are then related to the IMAGE class. It is important to relate only one IMAGE class for a given data set to an INFORM class. When INFORM/V builds the class list, it includes all references to the database, but, when the class list is used, INFORM/V always stops at the first IMAGE class it finds on the class list for that database.Figure 11-20. Hierarchy for Security for a Database Figure 11-20 illustrates another important requirement: not only is the data element related to the IMAGE class, but also the data set that contains the element and the database that contains the data set must also be related to the IMAGE class. The steps that will be used in the example shown here are as follows: * Create the INFORM classes. * Create IMAGE classes, one for each INFORM class. * Relate each IMAGE class to one of the INFORM classes. * Add (or secure) database file, data set files, and elements to each IMAGE class. The optimal situation is to plan the INFORM/V security and IMAGE security at the same time, when you are designing the database. Or, it is quite likely that the IMAGE security designed for the database will also fit the requirements of INFORM/V security. It makes sense that reporting access requirements will match database access requirements.Figure 11-21. The Database Used to Establish INFORM/V Security The example shown here will use the the database shown in Figure 11-21. Four IMAGE security classes will be established, one each for benefits clerks, for records clerks, for compensation clerks, and for the manager. Each of these four IMAGE classes will be related to a parallel INFORM class. Table 11-1. IMAGE and INFORM Classes to Establish Security ---------------------------------------------------------------------------------------------- | | | | | INFORM CLASS | IMAGE CLASS | | | | | | | Number Password | Number Password | ELEMENTS AND DATA SETS | | | | | ---------------------------------------------------------------------------------------------- | | | | | 650 CLK | 50 CLK1 | All elements in PEOPLE | | | | except BDATE | | | | | | | | All elements in BENEFITS | | | | | ---------------------------------------------------------------------------------------------- | | | | | 660 RECORDS | 60 REC | All Elements in PEOPLE | | | | | | | | All elements in EDUCATION | | | | | | | | STD.HRS in WAGE | | | | | | | | All elements in BENEFITS | | | | | ---------------------------------------------------------------------------------------------- | | | | | 670 SALARY | 70 SALMGR | All elements in PEOPLE | | | | | | | | All elements in WAGE | | | | | ---------------------------------------------------------------------------------------------- | | | | | 680 BOSS | 80 VP | All elements in all data | | | | sets | | | | | ---------------------------------------------------------------------------------------------- Table 11-1 identifies which elements each of the four classes of users can see. The first three classes are limited to read-only access to certain parts of the database. The fourth user, the manager, can see and modify the entire database. The table also shows the numbering pattern that the user has established for the classes to make it easy to correlate each INFORM class with its IMAGE class. The passwords assigned to the IMAGE classes are the same as the passwords for the EMPBAS database. When INFORM/V is producing a report, it opens the database using these passwords. _______________________________________ | | | > REPEAT CREATE CLASS | | CLASS 650 | | NAME | | TYPE INFO | | PASSWORD CLK | | RESPONSIBILITY | | DESCRIPTION | | | | CLASS 660 | | NAME | | TYPE INFO | | PASSWORD RECORDS| | RESPONSIBILITY | | DESCRIPTION | | | | CLASS 670 | | NAME | | TYPE INFO | | PASSWORD SALARY | | RESPONSIBILITY ! | | | | CLASS 680 | | NAME | | TYPE INFO | | PASSWORD BOSS | | RESPONSIBILITY ! | | | | CLASS | | | | > | | | | | | | | | _______________________________________ Figure 11-22. Creating the Four INFORM/V Classes Figure 11-22 shows the first step in establishing security for the example database. The four INFORM classes are established. Although TYPE is usually an optional prompt, the response INFO is required when an INFORM class is being established. The INFORM class number can be an integer between 0 and 9999. ______________________________________ | | | > REPEAT CREATE CLASS | | CLASS 650 | | NAME | | TYPE | | PASSWORD CLK1 | | RESPONSIBILITY | | | | CLASS 60 | | NAME | | TYPE | | PASSWORD REC | | RESPONSIBILITY | | | | CLASS 70 | | NAME | | TYPE | | PASSWORD SALMGR| | RESPONSIBILITY ! | | | | CLASS 80 | | NAME | | TYPE | | PASSWORD VP | | RESPONSIBILITY ! | | | | CLASS | | | | > | | | | | | | | | ______________________________________ Figure 11-23. Creating IMAGE Classes to Parallel the INFORM/V Classes The next step is to create the parallel IMAGE classes. An example is shown in Figure 11-23. For IMAGE classes, the TYPE is not important, though you can use this field to identify the type of file for which the class is being created, or as a short comment field. _____________________________________ | | | > REPEAT RELATE CLASS | | PARENT CLASS 680 | | CHILD CLASS 80 | | DESCRIPTION | | | | CHILD CLASS | | | | PARENT CLASS 670 | | CHILD CLASS 70 | | DESCRIPTION | | | | CHILD CLASS | | | | PARENT CLASS 660 | | CHILD CLASS 60 | | DESCRIPTION | | | | CHILD CLASS | | | | PARENT CLASS 650 | | CHILD CLASS 50 | | DESCRIPTION | | | | CHILD CLASS | | | | PARENT CLASS | | | | > | | | | | | | | | _____________________________________ Figure 11-24. Relating the IMAGE Classes to the INFORM/V Classes Once all the IMAGE and INFORM classes have been created, they must be related to one another. The INFORM class is the parent, and the IMAGE class is the child. An example is shown Figure 11-24. The first step of each hierarchy has been established, and the next requirement is to associate the database file, the data set files, and the individual elements with the appropriate IMAGE class. Two different commands can be used: SECURE associates a file and all its contents, whereas ADD-CLASS is more selective and associates only the named element or file. ___________________________________________________ | | | > REPEAT SECURE FILE | | FILE EMPBAS | | CLASS 80 | | ACCESS CAPABILITY M | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY W | | | | FILE BENEFITS | | CLASS 50 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | FILE PEOPLE | | CLASS 60 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS.| | SECURE FILE (S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | | | | ___________________________________________________ Figure 11-25. Securing Database and Data Sets to the IMAGE CLasses __________________________________________________ | | | FILE EDUCATION| | CLASS 60 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | FILE BENEFITS | | CLASS 60 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | FILE PEOPLE | | CLASS 70 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | FILE WAGE | | CLASS 70 | | ACCESS CAPABILITY R | | ELEMENTS WILL BE SECURED TO CLASS. | | SECURE FILE(S) TO CLASS(N\Y)?Y | | FILE ACCESS CAPABILITY R | | | | FILE | | | | | | | __________________________________________________ Figure 11-25. Securing Database and Data Sets to the IMAGE CLasses (Continued) Figure 11-25 shown an example of using the SECURE command. This command secures not only the file that is named, but also all the elements within that file. If the file being secured is a database, SECURE secures not only the database, but also all data sets and all elements. Therefore, the first series of prompts in Figure 11-25 shows SECURE being used to secure files to the manager class, which is allowed to modify all the elements in all the data sets. Note that the ACCESS CAPABILITY is M, for modify. INFORM/V needs only read access, but this IMAGE class will also be used by the data dictionary for other tasks, and so the broader category is specified. The remaining interactions in Figure 11-25 secure those data sets in which all elelments are to be available to the given classes. The prompt SECURE FILE(S) TO CLASS (N\Y)?> will be answered with Y in all cases, since for every file the user wants to secure both the file and the elements within the file. The next step is to add to each class those data set files that have not already been secured. These are the files in which not all elements are going to be available in the respective classes. Therefore, the file must be added as a separate entity, then the individual elements that are to be available to the given class are added to it. Figure 11-26 shows the ADD CLASS-FILE interactions that are required by the example. The database file EMPBAS is added to class 50, 60, and 70. In addition, the data set file WAGE is added to the class 60, so that records clerks can access the element WAGE. The next, and final step, is to add the elements to the IMAGE classes. Figure 11-27 shows an example. First, all elements from data set PEOPLE are added to class 50 except EMP-NO and BDATE. EMP-NO is left out because it will be picked up from the BENEFITS data set, which was already secured to IMAGE class 50. BDATE is not added because it is not to be available to class 50. For INFORM class 660 (IMAGE class 60), STD-HOURS is the only element from data set WAGE that is to be available. _____________________________________ | | | < REPEAT ADD CLASS-FILE | | CLASS 50 | | | | FILE EMPBAS| | DESCRIPTION | | | | FILE PEOPLE| | ACCESS CAPABILITY R | | DESCRIPTION | | | | FILE | | | | CLASS 60 | | | | FILE EMPBAS| | DESCRIPTION | | | | FILE WAGE | | ACCESS CAPABILITY R | | DESCRIPTION | | | | FILE | | | | CLASS 70 | | | | FILE EMPBAS| | DESCRIPTION | | | | FILE | | | | CLASS | | > | | | | | _____________________________________ Figure 11-26. Adding Files to the IMAGE Class _________________________________________ | | | > REPEAT ADD CLASS | | CLASS 50 | | | | ELEMENT NAME | | ACCESS CAPABILITY R | | DESCRIPTION | | | | ELEMENT SOC-SEC | | ACCESS CAPABILITY R | | DESCRIPTION | | | | ELEMENT ADDRESS | | ACCESS CAPABILITY R | | DESCRIPTION | | | | ELEMENT | | | | CLASS 60 | | | | ELEMENT STD-HOURS| | ACCESS CAPABILITY R | | DESCRIPTION | | | | ELEMENT | | | | CLASS | | > | | | | | | | _________________________________________ Figure 11-27. Adding Individual Elements to Each IMAGE Class The INFORM/V security is now completed for EMPBAS, and users can begin using INFORM/V. Relationship of INFORM/V Security to Groups Earlier in this section, the process of setting up INFORM/V Groups was described. Recall that all Groups and subgroups fit into a hierarchy under the primary Group $MENU, which is established automatically when the data dictionary is created. If you do not define INFORM/V security, then the complete hierarchy off all Groups and subgroups defined under $MENU is available to all users of the data dictionary. The job of INFORM/V security is to overlay a filter that presents different views of the hierarchy to different users. For example, assume that you have set up five INFORM/V Groups, all directly related to $MENU. This hierarchy is shown in Figure 11-28. If you do not define INFORM/V security, then any user of the data dictionary who runs INFORM/V will see all five Groups on his Group Menu.Figure 11-28. A Simple INFORM/V Hierarchy Suppose that you want to restrict the view of users in department 50 to Groups A, B, and C, whereas users in department 60 need access to Groups B, C, D, and E. You establish two security classes (called INFORM classes), one for department 50 and one for department 60. Each class is assigned a password, and the Groups to be used by each class are related to it. The result is shown in Figure 11-29. Now any user in department 50, when accessing INFORM/V, is asked for department's password. When the Group Menu comes up, it will show only Groups A, B, and C. By the same token, a user in department 60, after supplying the password, will see only Groups B, C, D, and E on his Group Menu.Figure 11-29. INFORM/V Security Limits Access to Groups The preceding subsection described a way to establish INFORM/V security for four classes of users working with one database when Groups have not been established. The procedure for establishing security when INFORM/V Groups have been established is very similar. Exactly the same commands are used, and the hierarchical pattern is similar. However, there are two important differences: * You need to be sure that all the elements in all the Groups for a given INFORM class have been related to IMAGE classes for the same INFORM class. If you have added elements to an INFORM/V Group, but have neglected to add those elements to the IMAGE classes that are related to the same INFORM class, the security feature will prevent the elements from being displayed in the Group. * When security was established for a database with no Groups, each INFORM class had only one IMAGE class related to it. However, if you have established Groups, you will very likely have more than one IMAGE class per INFORM class, particularly if you have established Groups to take advantage of INFORM/V's ablility to create one Group from multiple files. It would then be most practical to set up an IMAGE class for the elements from a given file, and relate all IMAGE classes that pertain to one set of Groups to the INFORM class for those Groups. Consider Figure 11-30, which show the relationship of INFORM/V Groups to one INFORM class. As was described in the first part of this section, a given Group can be drawn from multiple files and data sets, so long as the elements are reasonably linked.Figure 11-30. Many INFORM Groups Can Be Defined for One INFORM/V Class Figure 11-31 shows the IMAGE classes for the same INFORM class. Each IMAGE class will probably contain the elements from only one file or database. The only important relationship between the two figures lies in the elements. All of the elements related through IMAGE classes to INFORM class 1 must also be related through INFORM/V Groups to INFORM class 1. However, there need not be any correlation between the INFORM/V Groups and the IMAGE classes themselves.Figure 11-31. IMAGE Classes for the same INFORM Class A given INFORM Group can be related to more than one INFORM class. In other words, if an INFORM Group is appropriate to more than one class of user, it can be used by each of those classes. The relationship is shown in Figure 11-32.Figure 11-32. An INFORM Group Can be Used by More than One INFORM Class One IMAGE class can also be associated with more than one INFORM class. The relationship is shown in Figure 11-33.Figure 11-33. An IMAGE Class Can be Used by More than One INFORM Class How will INFORM/V know what to display on the Data Names Menu for a Group? When the user enters his password. INFORM/V checks the data dictionary to see what IMAGE classes are related to the INFORM class that has that password. It also checks to see what Groups are related to that INFORM class, and then checks for the elements in those Groups. Only if the elements are associated with one of the IMAGE classes are they displayed on the menu. When INFORM/V opens an MPE or KSAM file that has a lockword, INFORM/V uses the password of the IMAGE class as the lockword of the file. Therefore, you must assign a password to the IMAGE class that is the same as the lockword on the file. If the password and lockword are not identical, then the user will be prompted for the lockword when the report is being produced. MPE and KSAM files do not have to be added to the IMAGE classes unless they have lockwords. Summary of Security Commands Use the REPORT command to see the elements related to an IMAGE class. REPORT will not work with INFORM classes, however, because elements are directly related to them. For INFORM classes, use SHOW CLASS. This displays all the associations for class and all the related child classes as well. Use DISPLAY CLASS ! (for all classes) to see the attributes for a class plus the directly related classes. This command will also show you the passwords. The following list includes all the DICTIONARY/V commands that will be used for setting up and maintaining INFORM/V security. Table 11-2. Dictionary Commands Used to Establish and Maintain INFORM Security --------------------------------------------------------------------------------------------- | Function | Command | --------------------------------------------------------------------------------------------- | Creating IMAGE or INFORM classes | CREATE CLASS | | Modifying IMAGE or INFORM classes | MODIFY CLASS | | | RENAME CLASS | | | PURGE CLASS | | Reporting IMAGE or INFORM classes | LIST CLASS | | | DISPLAY CLASS | --------------------------------------------------------------------------------------------- Table 11-2. Dictionary Commands Used to Establish and Maintain INFORM Security (continued) --------------------------------------------------------------------------------------------- | Function | Command | --------------------------------------------------------------------------------------------- | Adding entities to an IMAGE class | ADD CLASS | | | ADD CLASS-FILE | | | SECURE FILE | | Modifying entities added to an IMAGE class | UPDATE CLASS | | | UPDATE CLASS-FILE | | | DELETE CLASS | | | DELETE CLASS-FILE | | Reporting entities added to an IMAGE class | REPORT CLASS | | | SHOW CLASS | --------------------------------------------------------------------------------------------- | Relating IMAGE classes to INFORM classes | RELATE CLASS | | Modifying relationship of IMAGE and | CHANGE CLASS | | INFORM classes | REMOVE CLASS | | Reporting relationship of IMAGE and | SHOW CLASS | | INFORM classes | DISPLAY CLASS | --------------------------------------------------------------------------------------------- | Adding INFORM Groups to INFORM classes | ADD CLASS-GROUP | | | SECURE GROUP | | Modifying INFORM Groups | UPDATE CLASS-GROUP | | | DELETE CLASS-GROUP | | Reporting INFORM Groups | DISPLAY GROUP | ---------------------------------------------------------------------------------------------
![[]](../../pic3k/M010001/F11193c50.gif)
![[]](../../pic3k/M010001/F11203c50.gif)
![[]](../../pic3k/M010001/F11213c50.gif)
![[]](../../pic3k/M010001/F11283c50.gif)
![[]](../../pic3k/M010001/F11293c50.gif)
![[]](../../pic3k/M010001/F11303c50.gif)
![[]](../../pic3k/M010001/F11313c50.gif)
![[]](../../pic3k/M010001/F11323c50.gif)
![[]](../../pic3k/M010001/F11333c50.gif)