HP 3000 Manuals HP 3000 Manuals
USING COMMANDS TO DEFINE HP INFORM/3000 SECURITY
HP Inform/3000 security prevents unauthorized persons from gaining read
access to the Dictionary by limiting the names of the database files and
Inform groups displayed on the Inform menus. When Inform security is set
up in the Dictionary, Inform menus will display only the information
granted a user via an Inform password.
To establish Inform Security, the database administrator must first
determine who should have access to what data. By using the DICTDBM
commands, Inform classes are created and passwords are assigned to each
Inform class. Database files and elements are associated to IMAGE
classes which are in turn related to the Inform classes. Inform groups
are directly associated to the Inform classes. When Inform executes, it
looks for any Inform class relationships defined in the Dictionary and
prompts you for an Inform password if any such relationships are found.
If no Inform class relationships are found, you are not prompted for an
Inform password and all the database files and Inform groups defined in
the Dictionary will be displayed on the Inform menus. You will have to
enter the necessary passwords/lockwords when you produce the report. The
Inform password determines what Inform class you belong to. Only the
database file names and Inform group names belonging to that Inform class
will be displayed on the Inform menu.
If you use either the Dictionary manager or programmer level password as
the Inform password, then you are granted access to all Inform groups and
database files defined in the Dictionary. (See Appendix C of the manual
for more information on the access levels to the Dictionary.)
Database and the Inform Class Relationships - Figure 3-6 shows the
relationships between a database and an Inform class. Each line
represents a relationship.
________________________________________________________________
| |
| DATABASE |
| |
| DATA SET |
| |
| element |
| |
| element |
| |
| element IMAGE CLASS INFORM CLASS|
| |
| DATA SET |
| |
| element |
| |
| element |
| |
| element |
| |
| . |
| . |
| . |
________________________________________________________________
Figure 3-6. Relationships between the Database and the Inform Class
Note that the database file must be directly associated with the IMAGE
class or Inform will not give you access to any of the database sets or
elements. Each data set and element in the database must also be
directly associated with the same IMAGE class as the database file or
Inform will not give you access to that data. NOTE: Inform Security
requires element (item) level access to be defined in the dictionary
before the element (item) can be displayed on the Inform Menu. Inform
opens a database in open mode 5 which requires security to be defined at
the data item level. (See the IMAGE/3000 Reference Manual for more
information.)
Depending on how security is to be implemented, a database, data set, or
element can belong to more than one IMAGE class. An IMAGE class can
belong to more than one Inform class.
Inform Groups and Inform Class Relationships - Figure 3-7 shows the
relationships between an Inform group and an Inform class.
__________________________________________________________________
| |
| INFORM GROUP |
| INFORM CLASS|
| SUB-GROUP |
| |
| DATABASE |
| |
| element |
| |
| element IMAGE CLASS |
| |
| element |
| |
| element |
| |
| *MPE or KSAM FILE |
__________________________________________________________________
Figure 3-7. Relationships between an Inform group and Inform Class
*Relating an MPE or KSAM file to an IMAGE class is only necessary if the
file has a lockword
Inform groups and subgroups are directly associated to the Inform class.
However, in order to access any elements in the Inform groups, the
elements must be associated to an IMAGE class and the IMAGE class must be
related to the same Inform class as the Inform group. Otherwise, Inform
will not allow access to these elements. The database files in which
these elements are contained must also be associated to an IMAGE class.
It is necessary to associate an MPE or KSAM file to an IMAGE class if the
file has a lockword. When Inform opens an MPE or KSAM file and that file
has been added to an IMAGE class which has a password, Inform uses that
password as a lockword when opening the file. That means that if you
want Inform to open an MPE or KSAM file that has a lockword and you don't
want to be prompted for the password, you must add the file to an IMAGE
class whose password matches the file's lockword. In doing this, it is
recommended that a different class be assigned to each file or database,
and that CLASS-TYPE (MPEF, MPER, KSAM, or BASE) be used to distinguish
them for documentation purposes.
Depending on how Inform security is to be implemented, an Inform group or
sub-group can belong to more than one Inform class. An element can also
belong to more than one IMAGE class.
Creating Inform Classes
In the Dictionary, Inform classes are created as INFO type classes and
are identified by an integer from 0 through 9999. Use the CREATE CLASS
string to create an Inform class. Enter the identifying class number and
INFO as the class type. Enter the password to be assigned to the Inform
class. If the password in the dictionary is entered in upper case then
Inform also expects the password to be entered in upper case. If the
case does not match Inform will issue an invalid password error message.
Note that the Dictionary will not prevent you from creating duplicate
passwords for Inform classes. If duplicate passwords are created, Inform
will use the class belonging to the first matching password that it finds
in the Dictionary.
The remaining prompts for this command string allow you to provide useful
information, but are not required.
After an Inform class is created, you can use either the LIST or DISPLAY
command to display the entry. If you want to delete the entry from the
Dictionary, use the PURGE command. To change the entry, use either the
MODIFY or the RENAME command.
Relating IMAGE Classes to Inform Classes
The hierarchical relationship between the Inform class and the IMAGE
class is established with the RELATE command. Use the RELATE CLASS
string to define this relationship. Enter the identifying number of the
Inform class in response to the prompt for PARENT CLASS. Enter the
identifying number of the IMAGE class in response to the prompt for the
CHILD CLASS. The description prompt allows you to supply useful
information but is not required to define this relationship.
The relationship between the classes can be displayed by using the SHOW
command. For the Inform class, this command displays each CHILD class.
For the CHILD class, this command displays the files and elements
associated with the CHILD class in the order in which they were
associated with the CHILD class. To display an alphabetized listing of
the elements associated with a CHILD class, you can use the REPORT
command. Reporting an INFO class will display "No elements found"
because elements are not and cannot be directly related to an INFO class.
To display the attribute information and related PARENT classes for a
CHILD class, you can use the DISPLAY command.
The relationship between an Inform class and an IMAGE class can be
deleted by using the REMOVE CLASS command string. The description of the
relationship can be changed by using the CHANGE CLASS command string.
Adding Entities to an IMAGE Class
The association between the IMAGE classes and the different entities
(databases, data sets, elements and files) is established using either
the ADD command or the SECURE command. Remember that before Inform can
access these entities, they must belong to an IMAGE class and that IMAGE
class must be related to the Inform class.
To associate an element with an IMAGE class, use the ADD CLASS command
string. To associate a file to an IMAGE class, use the ADD CLASS-FILE
command string.
You can also use the SECURE command to assign all the elements associated
with a file to an IMAGE class. By using the SECURE FILE command string,
you can avoid adding each individual element, one at a time, to an IMAGE
class. The SECURE FILE string can also be used to secure a database,
data set, or a file and any child files it may have, to that same IMAGE
class.
The association between an element or file and the IMAGE class can be
deleted by using the DELETE command. You can display the association
entries by using the REPORT or SHOW commands.
Adding Inform Groups to Inform Classes
For Inform security by groups to be implemented, an Inform group is
directly associated to an Inform class. However, any elements belonging
to the Inform group are not added to that Inform class. They are
associated to an IMAGE class. That IMAGE class is then related to the
same Inform class as the Inform group which the element belongs to. (See
Figure 3-7 for a diagram of this relationship.)
The association between the Inform group and the Inform class is
established using either the ADD command or the SECURE command. To
associate an individual Inform group to an Inform class, use the ADD
CLASS-GROUP command string. Enter the identifying number of an existing
Inform class in response to the prompt for CLASS. Enter the name of an
existing Inform group in response to the prompt for GROUP.
To add an Inform group plus all of its child groups (if any) to an Inform
class, use the SECURE GROUP command string. Enter the name of the Inform
group in response to the prompt for GROUP. Enter the identifying number
of an existing Inform class in response to the prompt for CLASS. Note
that no elements belonging to the Inform group or to its child groups
will be added to the Inform class. Again, these elements must first be
associated to an IMAGE class. That IMAGE class must then be related to
the same Inform class as the Inform group which the element belongs to or
Inform will not allow access to those elements. To add a file to a class
use the ADD CLASS-FILE command string.
You can display the attribute information and any associated Inform
classes for an Inform group by using the DISPLAY GROUP command string.
You can change the description of an Inform group to Inform class
association by using the UPDATE CLASS-GROUP command string. The
association itself can be deleted by using the DELETE CLASS-GROUP command
string.
Example
Defining Inform Security for a database
>REPEAT CREATE CLASS
CLASS> 101 To CREATE the INFO class
NAME>
TYPE> INFO
PASSWORD> BOSS
RESPONSIBILITY>
DESCRIPTION>
CLASS> 10 To CREATE the IMAGE class
NAME>
TYPE>
PASSWORD> VP
RESPONSIBILITY>
DESCRIPTION>
CLASS>
>RELATE CLASS To RELATE the INFO class to
the IMAGE class
PARENT CLASS> 101
CHILD CLASS> 10
DESCRIPTION>
CHILD CLASS>
>SECURE FILE To SECURE the database, data
sets, and elements to the IMAGE
class
FILE> BASE
CLASS> 10
ACCESS CAPABILITY> R
ELEMENTS WILL BE SECURED TO CLASS.
SECURE FILE(S) TO CLASS (N/Y)?> Y
FILE ACCESS CAPABILITY> R
OR
>ADD CLASS-FILE To ADD specific data sets to the
IMAGE class
CLASS> 10
FILE> BASE
DESCRIPTION>
FILE> DATASET1
ACCESS CAPABILITY> R
DESCRIPTION>
FILE> DATASET2
ACCESS CAPABILITY> R
DESCRIPTION>
>ADD CLASS To ADD elements to the IMAGE
class
CLASS> 10
ELEMENT> E1
ACCESS CAPABILITY> R
DESCRIPTION>
ELEMENT> E2
ACCESS CAPABILITY> R
DESCRIPTION>
ELEMENT> E3
ACCESS CAPABILITY> R
DESCRIPTION>
Defining Inform Security for Groups: Sales Group and Account Orders
The elements for the Sales Group are Account, Sales Rep, and Address and
are contained in the Salestat (KSAM) file which has a lockword of KEEP.
The elements for the Account Orders group are Prod-No and Owner and are
contained in the Warranty (MPE) file which has a lockword of SAFE.
>REPEAT CREATE CLASS
CLASS> 100 To CREATE the INFO class
NAME> <cr>
TYPE> info
PASSWORD> MICHAEL
RESPONSIBILITY> <cr>
DESCRIPTION> <cr>
CLASS> 301 To CREATE the IMAGE classes
NAME> <cr>
TYPE> <cr>
PASSWORD> KEEP
RESPONSIBILITY> <cr>
DESCRIPTION> <cr>
CLASS> 302
NAME> <cr>
TYPE> <cr>
PASSWORD> SAFE
RESPONSIBILITY> <cr>
DESCRIPTION> <cr>
>RELATE CLASS To RELATE the IMAGE class to the
INFO class
PARENT CLASS> 100
CHILD CLASS> 301
DESCRIPTION> <cr>
CHILD CLASS> 302
DESCRIPTION> <cr>
CHILD CLASS> <cr>
>ADD CLASS To ADD elements to the Image
class
CLASS> 301
ELEMENT> ACCOUNT
ACCESS CAPABILITY> R
DESCRIPTION> <cr>
ELEMENT> SALES REP
ACCESS CAPABILITY> R
DESCRIPTION> <cr>
ELEMENT> ADDRESS
ACCESS CAPABILITY> R
DESCRIPTION> <cr>
ELEMENT> <cr>
CLASS> 302
ELEMENT> PROD-NO
ACCESS CAPABILITY> R
DESCRIPTION> <cr>
ELEMENT> OWNER
ACCESS CAPABILITY> R
DESCRIPTION> <cr>
ELEMENT> <cr>
CLASS> <cr>
>REPEAT ADD CLASS-FILE To ADD a file to the IMAGE class
(Needed only if the file has a
lockword)
CLASS> 301
FILE> SALESTAT
DESCRIPTION> <cr>
FILE> <cr>
CLASS> 302
FILE> WARRANTY
DESCRIPTION> <cr>
FILE> <cr>
CLASS> <cr>
>ADD CLASS-GROUP To ADD groups to the INFO class
CLASS> 100
GROUP> SALES GROUP
DESCRIPTION> <cr>
GROUP> ACCOUNT ORDERS
DESCRIPTION> <cr>
>
CAUTION
* If you define a password for Inform Security in upper or
lower case characters, Inform expects it to be entered in
the exact same way. For example, if you defined BOSS in all
upper case characters and then ran Inform and entered the
password in lower case, Inform would not accept the password
as a valid password.
* Dictionary does not check for duplicate passwords, so avoid
assigning two different Inform classes the same password.
Inform will use the first class it finds and from there use
all the classes related to the Inform class to determine
access. The end result is the user will not necessarily
have access to the data they want.
* Inform Security requires element (item) level access to be
defined in the dictionary and database before that item will
be displayed on the Inform menu or accessed at report
generation time.
* Avoid relating more than one IMAGE class associated with a
particular database to the same Inform class. In the figure
below, ORDERS is related to three IMAGE classes. You should
choose one of those IMAGE classes to relate to one Inform
class to establish access to ORDERS. If two IMAGE classes (1
and 2 in this example) are related to 101, Inform may find
IMAGE class 1's password first or IMAGE class 2's password
to use to open the database, the results are unpredictable.
In this example it would be better to relate IMAGE class 1
to Inform class 101, 2 to 102, and 3 to 103. You may want
to have different Inform classes for the database to allow
access at multiple levels.
INFORM 101 102 103
CLASS
IMAGE 1 2 3
CLASS
DATABASE ORDERS