HP 3000 Manuals HP 3000 Manuals
Automatic Password Retrieval BRWPASSEXIT HP ALLBASE/BRW can use a user-supplied program, called BRWPASSEXIT, to specify both the actual location names for source tables and the source table passwords. The location name for a source table is the full name of the database or file where report data is to be found, with optionally the group and account where the database or file is kept. For example, the short name for a dataset used as a source table could be INVOICES. Its location name is database TOYDB, in group PUB, of account MYACCT. Why use BRWPASSEXIT? You may not want all your users to know the location names and passwords for the databases. BRWPASSEXIT can give users access to the databases so they can write or run report, but not allow them to change the database in any way. Using BRWPASSEXIT can enhance your data security and make password maintenance simpler, especially if you change passwords often.
NOTE All database passwords must allow read access to the datasets specified, or at least to the items needed in the report if item level security is defined. So if the password does not allow read access, the DBGET will fail. You can, of course, restrict update access. You do not need "@" access if you use item level security.
Creating BRWPASSEXIT
NOTE Someone familiar with the database structure, like the database manager, needs to be responsible for writing the BRWPASSEXIT program. BRWPASSEXIT mst be capable of accepting the short name and returning the location and password. Examples of typical BRWPASSEXIT data structures are given later.
To create BRWPASSEXIT 1. Build the BRWPASS executable library (XL) where you :LINKEDIT linkEd > BUILDXL BRWPASS linkEd > ADDXL FROM=<your passexit object file>;& TO=BRWPASS linkEd > EXIT For more information on the Linkeditor, see the HP LinkEditor Reference Manual. 2. Write the BRWPASSEXIT program and include it in the executable library. You must write the program BRWPASSEXIT and compile it in native mode. The program must follow these rules: a. The program must not write over any HP ALLBASE/BRW data or code! (This is very unlikely if you code the program in PASCAL or COBOL, but possible if you use ASSEMBLER) b. The procedure BRWPASSEXIT takes a record structure with the following fields as a parameter: Location name: Packed array of 30 characters (Input/Output) Report name: Packed array of 30 characters (Input/Output) User, Group, Account: 3 packed arrays of 8 characters (Input) Password: Packed array of 8 characters (Output) Common area: Array of 100 words (Output) Status: 1 word (Input/Output) The status parameter ('status' or 'RETURN-STATUS ') can have two values: 0 : The password is being returned successfully. -1 : The user is not allowed to access the password. __________________________________________________________ NOTE For examples of the data structures for these parameters, see the next sections. __________________________________________________________ c. BRWPASSEXIT must return status=0 (and blanks for the password) for any locations that are not known to BRWPASSEXIT. 3. Compile BRWPASSEXIT in native mode. To use BRWPASSEXIT 1. When you specify the report, do not type a password for a source table on the Define Tables screen. 2. When you run the report, HP ALLBASE/BRW looks for the BRWPASSEXIT program in the BRWPASS extended library (XL) in this order: a. BRWPASS.logon group.logon account b. BRWPASS.PUB.logon account c. BRWPASS.PUB.SYS If BRWPASSEXIT is not found, the call is skipped and the report will run with the assumption that the user is the creator of the source table. That is, HP ALLBASE/BRW tries to open the databases using a database password of ";" and tries to open files using blanks for passwords. If your BRWPASSEXIT procedure does not recognize the Location Name, or does not want the given user, group, or account to have access to the location, it should return a status=-1 (or any value besides zero). A non-zero status from BRWPASSEXIT will cause report execution to stop immediately. If BRWPASSEXIT is found, and access to the password and location of the table is allowed, then the report is executed. The return status=0.
NOTE HP ALLBASE/BRW will not call BRWPASSEXIT if you supply an incorrect password: BRWPASSEXIT will only be called when no password is supplied. If the password (or location name) is incorrect the report will abort without calling BRWPASSEXIT.
BRWPASSEXIT Examples PASCAL Example ______________________________________________________________ | | | $subprogram 'brwpassexit'$ | | $OS 'MPE/XL'$ | | | | {Compiler directives to compile only BRWPASSEXIT} | | | | shortint = -32768..32767; | | t_pac8 = PACKED ARRAY [1..8] OF char; | | t_pac30 = PACKED ARRAY [1..30] OF char; | | a_comarea = ARRAY [1..100] OF shortint; | | | | fmt_user_rec = RECORD | | | | location : t_pac30; | | reportname : t_pac30; | | user : t_pac8; | | group : t_pac8; | | account : t_pac8; | | password : t_pac8; | | comarea : a_comarea; | | status : shortint; | | | | END; {RECORD} | | | | procedure BRWPASSEXIT (var passexit_rec : fmt_use_rec);| ______________________________________________________________ PASCAL This procedure gets the correct location and password for a source table, accepts the "short" passed location and returns the full location and password (status=0) or indicates that access is not allowed (status=1). This example is shown for simplicity. You could also obtain an integer by decoding the location and use that as a CASE ordinal, or as a key file of passwords. A sample program is shown on the next page. __________________________________________________________________________________________________ | | | label 9999; | | | | begin | | | | with passexit_rec do | | begin | | | | if location = 'ADB' then | | begin | | location :='ADB.ADBGROUP.ADBACCT'; | | password := 'READADB'; {read access only required} | | status :=0; {location recognized:} | | goto 9999; | | end; | | { and so on through the various short locations } | | | | {PAYROLL database only accessible to people logged on to the FINANCE | | account. For anyone else, reject access.} | | | | if location = 'PAYROLL' then | | if account = 'FINANCE' then | | begin | | location := 'PAYROLL.PUB.FINANCE'; | | password := 'BUCKS'; | | status := 0; | | goto 9999; | | end | | else | | begin | | status := -1; | | goto 9999; | | end; | | | | { and so on through those short locations, if any, where password access is not permitted.}| | | | status := 0; | | | | {If the location is NOT RECOGNIZED, set the status to 0, then BRW will | | try to read the file using the default location and no password. } | | 9999: | | end; {with} | | end; {procedure brwpassexit} | | | | {main program outer block} | | begin | | end. | __________________________________________________________________________________________________ COBOL Example Compile the program: :COB85XL %%progname%% _________________________________________________________ | | | LINKAGE SECTION | | | | 01 COM-RECORD. | | 05 LOCATION PIC X(30). | | 05 REPORTNAME PIC X(30). | | 05 LOGON-USER PIC X(8). | | 05 LOGON-GROUP PIC X(8). | | 05 LOGON-ACCOUNT PIC X(8). | | 05 PASSWORD PIC X(8). | | 05 COMAREA OCCURS 100 TIMES PIC S9(4) COMP.| | 05 RETURN-STATUS PIC S9(4) COMP. | _________________________________________________________ COBOL Parameter The figure on the next page shows a COBOL sample program. ________________________________________________________ | | | $CONTROL DYNAMIC | | IDENTIFICATION DIVISION | | PROGRAM-ID. BRWPASSEXIT. | | AUTHOR. | | DATE-WRITTEN. | | DATE-COMPILED. | | ENVIRONMENT DIVISION. | | DATA DIVISION. | | LINKAGE SECTION. | | 01 COM-RECORD. | | 05 LOCATION PIC X(30). | | 05 REPORTNAME PIC X(30). | | 05 LOGON-USER PIC X(8). | | 05 LOGON-GROUP PIC X(8). | | 05 LOGON-ACCOUNT PIC X(8). | | 05 PASSWORD PIC X(8). | | 05 COMAREA OCCURS 100 TIMES PIC S9(4) COMP.| | 05 RETURN STATUS PIC S9(4) COMP. | | | | PROCEDURE DIVISION USING COM-RECORD. | | | | P1 | | | | IF LOCATION = "ADB" THEN | | MOVE "ADB.ADBGROUP.ADBACCT" TO LOCATION | | MOVE "READADB" TO PASSWORD | | MOVE 0 TO RETURN-STATUS | | GO TO BRW-END. | | | | IF LOCATION = "BDB" THEN | | MOVE "TOYDB.PUB.ITF3000" TO LOCATION | | MOVE "doctor" TO PASSWORD | | MOVE 0 TO RETURN-STATUS | | GO TO BRW-END. | | | | IF LOCATION = "PAYROLL" THEN | | IF LOGON-ACCOUNT = "FINANCE" THEN | | MOVE "PAYROLL.PUB.FINANCE" TO LOCATION | | MOVE "BUCK" TO PASSWORD | | MOVE 0 TO RETURN-STATUS | | GO TO BRW-END | | ELSE | | MOVE -1 TO RETURN-STATUS | | GO TO BRW-END. | | | | MOVE 0 TO RETURN-STATUS | | | | BRW-END | ________________________________________________________