About IMAGE/SQL Security

IMAGE/SQL enforces TurboIMAGE/XL database security. That is, SQL users can access only the data defined for them in the TurboIMAGE/XL database schema.

To accomplish this, during an attach, only the DBC is defined as an SQL user. This user has access to all the mapped tables in the database. The DBC must explicitly add all other IMAGE/SQL users by associating each user class or password with a DBEUser_ID. A view is then created for each mapped table to which the DBEUser_ID has access. This view is based on information in the TurboIMAGE/XL root file and permits user classes to see the data defined for them in the TurboIMAGE/XL schema. Users, including user class 0, must know the names of the views to which they have access.

IMAGE/SQL utility security can be modified only by someone who is both the DBC and a DBA of the respective database management systems.

Controlling IMAGE/SQL User Access

IMAGE/SQL takes the following steps to control users' access to TurboIMAGE/XL data (see Figure 3-4 “IMAGE/SQL Security Mapping”):

When an SQL user is added, IMAGE/SQL creates an SQL authorization group. The name of this group is based on the user class or the user class of the password named in the ADD USER command. The naming convention for this group is OwnerName_UserClass#. The new DBEUserID (User@Account) is then added to this group.
One view is then created for each data set the user class is allowed to access. The naming convention for these views is OwnerName.MappedTableName_VUserClass#.
If data is not password-protected, user class 0 is assumed and views of this data are created for user class 0.
When an SQL user is deleted, the DBEUserID is removed from the SQL group associated with the TurboIMAGE/XL user class. Note that the group itself and the corresponding views remain in the DBEnvironment because other user-created views may be based on these views.
When the database is detached, all views based on mapped tables, including user-created views, are dropped.

Figure 3-4 IMAGE/SQL Security Mapping

IMAGE/SQL Data Type Mapping

IMAGE/SQL maps all TurboIMAGE/XL data types to the closest equivalent SQL data types. Sometimes completely compatible choices are not available, or more than one viable alternative exists. In these cases, IMAGE/SQL chooses default data types for you, but also provides alternative data type mapping that you can select if it more closely meets your particular needs.

Note that when alternative data type mapping is selected, all user-created views containing the mapped data type are dropped. Therefore, it is advisable to perform alternative data type mapping before users have had the opportunity to create views.

For specific information about IMAGE/SQL default data type mapping and alternative choices, refer to Table 2-6 “IMAGE/SQL Data Type Mapping Defaults and Alternatives” in Chapter 2 (Task 4).

At Run Time

At run time, SQL turns all mapped table queries over to IMAGE/SQL. Using the mapping information in the ATCINFO file, IMAGE/SQL makes the appropriate TurboIMAGE/XL calls, retrieves the data from the TurboIMAGE/XL database, and returns the data to SQL in the correct SQL format (see Figure 3-5 “IMAGE/SQL at Run Time”.)

Figure 3-5 IMAGE/SQL at Run Time

Note that the data is retrieved from the TurboIMAGE/XL database. Only the mapped table definitions actually reside in the DBEnvironment. The ALLBASE/SQL Optimizer decides which indices, if any, to use and the proper order of operation to ensure that the most efficient path is used. Data is retrieved more efficiently when a mapped column represents a TurboIMAGE/XL search item, key item, or an item which has a B-Tree index (explicit or implicit) or a third-party index.

About IMAGE/SQL Security

Technical documentation

» Table of Contents

» Glossary

» Index

Controlling IMAGE/SQL User Access

IMAGE/SQL Data Type Mapping

At Run Time