ADASCR (Security Functions)

This document describes the utility "ADASCR".

The following topics are covered:


Functional Overview

The security utility ADASCR creates, modifies and deletes file protection levels and user passwords, and enables the security capabilities of individual passwords. Additionally, the utility is used to display file and password security information. The output of the export functionality of ADASCR can be used to apply some of all of the security definitions of a database to another database.

Access to this utility should be strictly limited to the person or persons responsible for database security (DBA).

Multiple functions may be specified within a single run of ADASCR. There is no restriction on the number of functions which may be specified.

The affected database(s) must be online.

All updates resulting from ADASCR take effect immediately.

This utility is a multi-function utility.

Note:
To copy existing security definitions from one hardware architecture or operating system to another you must use the EXPORT control parameter. You cannot copy the security definitions from one hardware architecture to another by using ADAULD/ADADCU and ADACMP/ADAMUP - this is because the data stored in the security file are stored in a platform-dependent internal format.

Procedure Flow

Procedure Flow ADASCR

Data Set Logical Name/
Environment variable
Storage Medium Additional Information
Control Statements stdin/
SYS$INPUT
  Utilities Manual
ADASCR Messages stdout/
SYS$OUTPUT
  Messages and Codes
Exported Security Definitions SCROUT Disk Utilities Manual

Checkpoints

The utility writes no checkpoints.

Control Parameters

The following control parameters are available:

    CHANGE {=|:} (string, string)

M   DBID = number

    DELETE = string

    DISPLAY = [PASSWORDS |
               PERMISSIONS, PASSWORD  {=|:} {* | string} |
               PROTECTIONS,
               FILE = {* | (number[-number][,number[-number]]...)}  |
               VALUE_CRITERIA, PASSWORD  {=|:} {* | string}]

    EXPORT = {PASSWORDS,
D            [TARGET_ARCHITECTURE = KEYWORD,]
               PASSWORD  {=|:} {* | string} |
               PROTECTIONS,
D            [TARGET_ARCHITECTURE = KEYWORD,]
               FILE = {* | (number[-number][,number[-number]]...)}  |
               VALUE_CRITERIA,
D            [TARGET_ARCHITECTURE = KEYWORD,]
               FILE = {* | (number[-number][,number[-number]]...)}
               PASSWORD = {* | string}}

    INSERT {=|:} string, FILE = (number[-number][,number[-number]]...)
             ,ACCESS = (number[,number]...)
             ,UPDATE = (number[,number]...)

    PROTECT = (number[-number][,number[-number]]...)
              ,ACCESS = (number[,number]...)
              ,UPDATE = (number[,number]...)

    SECURITY_BY_VALUE {=|:} string, FILE = number
                        ,ACCESS_CRITERION
                        ,SEARCH_BUFFER = string *
                        ,VALUE_BUFFER = string *
                        ,UPDATE_CRITERION
                        ,SEARCH_BUFFER = string *
                        ,VALUE_BUFFER = string *

*The search/access buffer string parameters must be followed by <Newline> with no preceding comma.

ADASCR Definitions for Examples

In the following examples assume that the following ADASCR definitions have been made before:

PROTECT=9,ACCESS=9,UPDATE=9
PROTECT=9,NAME=(**,AC,AD,BC),ACCESS=(0,14,14,14),UPDATE=(0,14,14,14)
PROTECT=9,NAME=(FC,FD,IC,ID),ACCESS=(14,14,14,14),UPDATE=(0,0,0,0)
PROTECT=11,ACCESS=1,UPDATE=2
PROTECT=11,NAME=(**,AA,AC,AE),ACCESS=(0,6,3,5),UPDATE=(0,9,9,7)
PROTECT=11,NAME=(AD,AI,AJ,AK),ACCESS=(4,10,10,10),UPDATE=(8,12,12,12)
PROTECT=11,NAME=(AL,AR,AS,AT),ACCESS=(10,7,7,7),UPDATE=(12,9,9,9)
PROTECT=11,NAME=(AX,AY,AZ),ACCESS=(11,11,8),UPDATE=(13,13,10)
PROTECT=(12,13),ACCESS=(12,13),UPDATE=(12,13)
INSERT=000009CD,FILE=(9,12,13),ACCESS=(0,0,0),UPDATE=(13,13,13)
INSERT=00110203,FILE=(11),ACCESS=(2),UPDATE=(3)
INSERT=00110304,FILE=(11),ACCESS=(3),UPDATE=(4)
INSERT=00110506,FILE=(11),ACCESS=(5),UPDATE=(6)
INSERT=00110809,FILE=(11),ACCESS=(8),UPDATE=(9)
INSERT=09CD09CD,FILE=(9,12,13),ACCESS=(13,13,13),UPDATE=(13,13,13)
SECURITY_BY_VALUE=09CD09CD,FILE=9,ACCESS_CRITERION,SEARCH_BUFFER=CA,1,EQ,O,CA,1,EQ.
VALUE_BUFFER=AU
UPDATE_CRITERION,SEARCH_BUFFER=CA,1,EQ.
VALUE_BUFFER=U

CHANGE

CHANGE {=|:} (string, string)

This function changes an existing password.

The password specified by the first string must be an existing password.

The value specified by the second string must not be the same as an existing password. A password may be between 1 and 8 characters long. If less than 8 characters are specified, trailing blanks are added. The password may not contain any special characters or embedded blanks.

If you specify an equals sign, the value given for 'string' will be converted to upper case; if you specify a colon, no upper-case conversion is performed.

All entries in effect for the password specified by the first string remain in effect for the new password.

Example

adascr: change:(000009CD,000009cd)
%ADASCR-I-PWCHA, password "000009CD" changed to "000009cd"

The password OLDPW1 is changed to NEWPW1.

DBID

DBID = number

This parameter selects the current database.

Note:
The nucleus must be running.

Example

adascr: dbid=155

The database currently being used is database 155.

DELETE

DELETE = string

This function deletes the existing password specified by the string, together with its associated permission levels and Security by Value criteria.

Example

adascr: delete=000009CD
%ADASCR-I-PWDEL, password "000009CD" deleted

The password USERPW1 is deleted.

DISPLAY

DISPLAY = { PASSWORDS |
  PERMISSIONS, PASSWORD {=|:} {* | string} |
  PROTECTIONS, FILE = {* | (number[-number][,number[-number]]...)} |
  VALUE_CRITERIA, PASSWORD {=|:} {* | string}}

This function shows current security information for files and passwords, as defined by the ADASCR utility.

Details of file protection levels, passwords, password permission levels and Security by Value criteria may be displayed.

FILE = {* | number[-number][,number[-number]]...}

The FILE parameter provides the list, range or ranges of files for which the preceding DISPLAY function is to be applied.

PASSWORDS

The PASSWORDS parameter prints a list of the passwords currently contained in the security file in ascending, alphanumeric sequence.

Example

adascr: display=passwords


List of defined passwords for Database 155 ("ALPHA-TS")

FORTYTWO
G6MON
USERPW1
VOYAGER

Total of 4 defined passwords

PERMISSIONS

The PERMISSIONS parameter prints a list of the access and update capabilities of the specified password for each currently loaded file, by comparing the password permission information against the current file protection levels.

Where respective access or update capability is granted, this is shown by the letter Y; conversely, where the capability is not granted, this is shown by the letter N.

Where access or update permissions for a given file are granted and additional Security by Value restrictions apply to that file, this is indicated by enclosing brackets, i.e. (Y).

If field level security is defined for a file, and the permission for field access or update of a field is different from the file permission, the field and the corresponding permissions are displayed, too.

Example

adascr: display=permissions,password=09CD09CD

password : "09CD09CD"

 FILE    | ACCESS | UPDATE
   FIELD |        |
--------------------------
    1    |     Y  |    Y
    2    |     Y  |    Y
    3    |     Y  |    Y
    9    |    (Y) |   (Y)
      AC |     N  |    N
      AD |     N  |    N
      BC |     N  |    N
      FC |     N  |   (Y)
      FD |     N  |   (Y)
      IC |    (Y) |    N
      ID |    (Y) |    N
      CN |     N  |
      S2 |     N  |
   11    |     N  |    N
   12    |     Y  |    Y
   13    |     Y  |    Y
   14    |     N  |    N
--------------------------

Note:
CN and S2 are a collation descriptor and a superdescriptor; for derived descriptors no update permission is displayed, because they cannot be updated explicitly.

PROTECTIONS

DISPLAY=PROTECTIONS displays the protection information for the specified files. For fields with access or update protection level greater than 0, the protection information is displayed, too.

Example:

adascr: disp=protections,file=(9-11,14)

 FILE    | ACCESS | UPDATE
   FIELD |        |
--------------------------
    9    |      9 |      9
      AC |     14 |     14
      AD |     14 |     14
      BC |     14 |     14
      FC |     14 |      0
      FD |     14 |      0
      IC |      0 |     14
      ID |      0 |     14
      CN |     14 |
      S2 |     14 |
   11    |      1 |      2
      AA |      6 |      9
      AC |      3 |      9
      AE |      5 |      7
      AD |      4 |      8
      AI |     10 |     12
      AJ |     10 |     12
      AK |     10 |     12
      AL |     10 |     12
      AR |      7 |      9
      AS |      7 |      9
      AT |      7 |      9
      AX |     11 |     13
      AY |     11 |     13
      AZ |      8 |     10
      PH |      3 |
      S2 |      3 |
      S3 |      7 |
      S4 |      4 |
   14    |      0 |      0
--------------------------

Note:
CN and S2 in file 9 and PH, S2, S3 and S4 are collation descriptors, superdescriptors or phonetic descriptors; for derived descriptors no update permission is displayed, because they cannot be updated explicitly.

VALUE_CRITERIA

The VALUE_CRITERIA parameter prints all Security by Value criteria currently defined for the specified password.

Example:

adascr: display=value_criteria,password=*

There are no value criteria defined for password "000009CD"

There are no value criteria defined for password "00110203"

There are no value criteria defined for password "00110304"

There are no value criteria defined for password "00110506"

There are no value criteria defined for password "00110809"

There are no value criteria defined for password "09CD0000"


password : "09CD09CD"

| File | Security by Value criterion
|------+----------------------------------------------------------------------
|    9 | ACCESS_CRITERION
|      |   SEARCH_BUFFER: "CA,1,EQ,O,CA,1,EQ."
|      |   VALUE_BUFFER:  "AU"
|      | UPDATE_CRITERION
|      |   SEARCH_BUFFER: "CA,1,EQ."
|      |   VALUE_BUFFER:  "U"
|-----------------------------------------------------------------------------


Total of 7 defined passwords

EXPORT

EXPORT = {PASSWORDS,
            [TARGET_ARCHITECTURE = keyword,]
            PASSWORD {=|:} {* | string} |
          PROTECTIONS,
            [TARGET_ARCHITECTURE = keyword,]
            FILE = {* | (number[-number][,number[-number]]...)} |
          VALUE_CRITERIA,
            [TARGET_ARCHITECTURE = keyword,]
            FILE = {* | (number[-number][,number[-number]]...)},
            PASSWORD {=|:} {* | string}}

This function exports the current security settings (password definitions, file protection levels and security by value criteria) to the sequential file SCROUT. The output in the file SCROUT can be used as ADASCR input in order to import the security definitions into another database.

Note:
If the SCROUT file already exists, the current security settings are appended to the existing file.

The security definitions may be exported either in mainframe syntax to import them on mainframe platforms (TARGET_ARCHITECTURE=MAINFRAME) or in open systems syntax to import them on opens systems platforms (TARGET_ARCHITECTURE=OPEN_SYSTEMS - this is the default

PASSWORDS

PASSWORDS,
TARGET_ARCHITECTURE = keyword,
PASSWORD  {=|:} {*|string}

The PASSWORDS parameter exports password permission levels (access and update) and the associated file or file list for the given password/passwords.

The TARGET_ARCHITECTURE parameter defines the syntax of the target platform. The following keywords can be used:

Keyword Meaning
MAINFRAME Export the defined password/passwords in mainframe syntax.
OPEN_SYSTEMS Export the defined password/passwords in open systems syntax.

The default TARGET_ARCHITECTURE is OPEN_SYSTEMS.

The PASSWORD parameter specifies the password for which the security settings have to be exported. It is also possible to export all defined passwords in the database - this can be done by specifying an asterisk for this parameter.

Example (export for open systems):

adascr: export=passwords,target_architecture=open_systems,password=09CD09CD
%ADASCR-I-PWEXP, Password 09CD09CD and its access and update levels successfully exported.

Note:
target_architecture=open_systems is optional and can be omitted.

This results in the following output for SCROUT:

INSERT=09CD09CD,FILE=(9,12,13),ACCESS=(13,13,13),UPDATE=(13,13,13)

Example (export for mainframe):

adascr: export=passwords,target_architecture=mainframe,password=09CD09CD
%ADASCR-I-PWEXP, Password 09CD09CD and its access and update levels successfully exported.

This results in the following output for SCROUT:

ADASCR INSERT PW=09CD09CD,FILE=9,ACC=13,UPD=13
ADASCR FILE=12,ACC=13,UPD=13
ADASCR FILE=13,ACC=13,UPD=13

PROTECTIONS

PROTECTIONS,
TARGET_ARCHITECTURE = keyword,
FILE = {*|(number[-number][,number[-number]]…)}

The PROTECTIONS parameter exports the protection levels of the given file, file range or ranges.

The TARGET_ARCHITECTURE parameter defines the syntax of the target platform. The following keywords can be used:

Keyword Meaning
MAINFRAME Export the defined password/passwords in mainframe syntax.
OPEN_SYSTEMS Export the defined password/passwords in open systems syntax.

The default TARGET_ARCHITECTURE is OPEN_SYSTEMS.

The FILE parameter specifies the files for which protection levels are to be exported.

Example (export for open systems):

adascr: export=protections,file=(9,11,13)
%ADASCR-I-PREXP, Protection settings for file 9 successfully exported.
%ADASCR-I-PREXP, Protection settings for file 11 successfully exported.
%ADASCR-I-PREXP, Protection settings for file 13 successfully exported.

This results in the following output for SCROUT:

PROTECT=9,ACCESS=9,UPDATE=9
PROTECT=9,NAME=(**,AC,AD,BC),ACCESS=(0,14,14,14),UPDATE=(0,14,14,14)
PROTECT=9,NAME=(FC,FD,IC,ID),ACCESS=(14,14,14,14),UPDATE=(0,0,0,0)
PROTECT=11,ACCESS=1,UPDATE=2
PROTECT=11,NAME=(**,AA,AC,AE),ACCESS=(0,6,3,5),UPDATE=(0,9,9,7)
PROTECT=11,NAME=(AD,AI,AJ,AK),ACCESS=(4,10,10,10),UPDATE=(8,12,12,12)
PROTECT=11,NAME=(AL,AR,AS,AT),ACCESS=(10,7,7,7),UPDATE=(12,9,9,9)
PROTECT=11,NAME=(AX,AY,AZ),ACCESS=(11,11,8),UPDATE=(13,13,10)
PROTECT=13,ACCESS=13,UPDATE=13
PROTECT=13,NAME=(**),ACCESS=(0),UPDATE=(0)

Example (export for mainframe):

adascr: export=protections,target_architecture=mainframe,file=11
%ADASCR-I-PREXP, Protection settings for file 11 successfully exported.

This results in the following output for SCROUT:

ADASCR PROTECT FILE=11,ACC=1,UPD=2
ADASCR PROTECT FILE=11,NAME=(AA,AC,AE,AD),ACC=(6,3,5,4),UPD=(9,9,7,8)
ADASCR PROTECT FILE=11,NAME=(AF,AG,AH,AI),ACC=(0,0,0,10),UPD=(0,0,0,12)
ADASCR PROTECT FILE=11,NAME=(AJ,AK,AL,AN),ACC=(10,10,10,0),UPD=(12,12,12,0)
ADASCR PROTECT FILE=11,NAME=(AM,AO,AP,AR),ACC=(0,0,0,7),UPD=(0,0,0,9)
ADASCR PROTECT FILE=11,NAME=(AS,AT,AU,AV),ACC=(7,7,0,0),UPD=(9,9,0,0)
ADASCR PROTECT FILE=11,NAME=(AX,AY,AZ),ACC=(11,11,8),UPD=(13,13,10)

VALUE_CRITERIA

VALUE_CRITERIA,
TARGET_ARCHITECTURE = (keyword [,keyword]),
FILE = {*|(number[-number][,number[-number]]…)},
PASSWORD  {=|:} {*|string}

The VALUE_CRITERIA parameter exports defined security-by-value settings for a specific file, for the password specified by ‘string’.

The TARGET_ARCHITECTURE parameter defines the syntax and also the byte order of the target platform. The following keywords can be used:

Keyword Group Valid Keywords
Syntax MAINFRAME
OPEN_SYSTEMS
Byte Order HIGH_ORDER_BYTE_FIRST
LOW_ORDER_BYTE_FIRST

The default TARGET_ARCHITECTURE is OPEN_SYSTEMS.

The default byte order corresponds to the architecture of the machine on which ADASCR is running.

Note:
If you export security-by-value definitions from open systems to mainframe platforms, a warning will be issued if the search buffer contains W-formatted fields. This is because W-formatted fields are not supported on mainframe platforms in security-by-value definitions. Any search buffer that contains W-formatted fields will not be exported.

The FILE parameter specifies the file list or range(s) of files for which security-by-value definitions are to be exported. Multiple specifications of the same file number are not permitted.

The PASSWORD parameter specifies the password for which security-by-value definitions are to be exported. If you specify an asterisk, the export will be for all defined passwords.

Example (export for open systems):

adascr: export=value_criteria,file=9,PASSWORD=*
There are no value criteria defined for password "000009CD"

There are no value criteria defined for password "00110203"

There are no value criteria defined for password "00110304"

There are no value criteria defined for password "00110506"

There are no value criteria defined for password "00110809"

There are no value criteria defined for password "09CD0000"

%ADASCR-I-SBVEXP, Security by value settings on file 9 for password 09CD09CD succ
essfully exported.

This results in the following output for SCROUT:

SECURITY_BY_VALUE=09CD09CD,FILE=9,ACCESS_CRITERION,SEARCH_BUFFER=CA,1,EQ,O,CA,1,E
Q.
VALUE_BUFFER=AU
UPDATE_CRITERION,SEARCH_BUFFER=CA,1,EQ.
VALUE_BUFFER=U

Example (export for mainframe):

adascr: export=protections,target_architecture=mainframe,file=11
%ADASCR-I-PREXP, Protection settings for file 11 successfully exported.

This results in the following output for SCROUT:

ADASCR PROTECT FILE=11,ACC=1,UPD=2
ADASCR PROTECT FILE=11,NAME=(AA,AC,AE,AD),ACC=(6,3,5,4),UPD=(9,9,7,8)
ADASCR PROTECT FILE=11,NAME=(AF,AG,AH,AI),ACC=(0,0,0,10),UPD=(0,0,0,12)
ADASCR PROTECT FILE=11,NAME=(AJ,AK,AL,AN),ACC=(10,10,10,0),UPD=(12,12,12,0)
ADASCR PROTECT FILE=11,NAME=(AM,AO,AP,AR),ACC=(0,0,0,7),UPD=(0,0,0,9)
ADASCR PROTECT FILE=11,NAME=(AS,AT,AU,AV),ACC=(7,7,0,0),UPD=(9,9,0,0)
ADASCR PROTECT FILE=11,NAME=(AX,AY,AZ),ACC=(11,11,8),UPD=(13,13,10)

Example for Export on Windows and Subsequent Import on Linux

This example shows how to export existing security settings of a Windows Adabas database 33 in order to subsequently import them into a Linux Adabas database 34.

The export function of ADASCR is used as follows:

>adascr db=33 export=passwords,password=*
%ADASCR-I-STARTED,      12-JAN-2017 16:17:29, Version 6.5.1.0 (Windows 64Bit)
%ADASCR-I-DBON, database 6 accessed online
%ADASCR-I-PWEXP, Password 000009CD and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 00110203 and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 00110304 and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 00110506 and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 00110809 and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 09CD0000 and its access and update levels successfully
exported.
%ADASCR-I-PWEXP, Password 09CD09CD and its access and update levels successfully
exported.

%ADASCR-I-TERMINATED,   12-JAN-2017 16:17:30, elapsed time: 00:00:01

>adascr db=33 export=protections,file=(9,11)
%ADASCR-I-STARTED,      12-JAN-2017 16:17:55, Version 6.5.1.0 (Windows 64Bit)
%ADASCR-I-DBON, database 6 accessed online
%ADASCR-I-PREXP, Protection settings for file 9 successfully exported.
%ADASCR-I-PREXP, Protection settings for file 11 successfully exported.

%ADASCR-I-TERMINATED,   12-JAN-2017 16:17:55, elapsed time: 00:00:00

D:\ada_build\ada\v6_5>adascr db=33 export=value_criteria,file=9,password=*
%ADASCR-I-STARTED,      12-JAN-2017 16:18:30, Version 6.5.1.0 (Windows 64Bit)
%ADASCR-I-DBON, database 33 accessed online
adascr: target_architecture=(open_systems,high_order_byte_first)
adascr: file=9
adascr: password=09CD09CD
%ADASCR-I-SBVEXP, Security by value settings on file 9 for password 09CD09CD succ
essfully exported.
adascr: q
%ADASCR-I-TERMINATED,   12-JAN-2017 16:19:46, elapsed time: 00:01:16

The file “scrout.txt” can now be edited as required, for example, to secure more files other than the ones exported with the given password.

Now copy the exported text file “scrout.txt” to the desired target platform, in this case to a Linux platform. Import the exported security settings using ADASCR with the following statement:

>adascr db=34 + < scrout.txt
%ADASCR-I-STARTED,      12-JAN-2017 17:16:59, Version 6.5.1.0 (Solaris 64Bit)
%ADASCR-I-DBON, database 34 accessed online
%ADASCR-I-PWINS, password "000009CD" inserted
%ADASCR-I-PWINS, password "00110203" inserted
%ADASCR-I-PWINS, password "00110304" inserted
%ADASCR-I-PWINS, password "00110506" inserted
%ADASCR-I-PWINS, password "00110809" inserted
%ADASCR-I-PWINS, password "09CD0000" inserted
%ADASCR-I-PWINS, password "09CD09CD" inserted
%ADASCR-I-FILPRO, protections (access 9, update 9) set for file 9
%ADASCR-I-FIELDPRO, protections (access 0, update 0) set for field ** in file 9
%ADASCR-I-FIELDPRO, protections (access 14, update 14) set for field AC in file 9

%ADASCR-I-FIELDPRO, protections (access 14, update 14) set for field AD in file 9

%ADASCR-I-FIELDPRO, protections (access 14, update 14) set for field BC in file 9

%ADASCR-I-FIELDPRO, protections (access 14, update 0) set for field FC in file 9
%ADASCR-I-FIELDPRO, protections (access 14, update 0) set for field FD in file 9
%ADASCR-I-FIELDPRO, protections (access 14, update 0) set for field IC in file 9
%ADASCR-I-FIELDPRO, protections (access 14, update 0) set for field ID in file 9
%ADASCR-I-FILPRO, protections (access 1, update 2) set for file 11
%ADASCR-I-FIELDPRO, protections (access 0, update 0) set for field ** in file 11
%ADASCR-I-FIELDPRO, protections (access 6, update 9) set for field AA in file 11
%ADASCR-I-FIELDPRO, protections (access 3, update 9) set for field AC in file 11
%ADASCR-I-FIELDPRO, protections (access 5, update 7) set for field AE in file 11
%ADASCR-I-FIELDPRO, protections (access 4, update 8) set for field AD in file 11
%ADASCR-I-FIELDPRO, protections (access 10, update 12) set for field AI in file 1
1
%ADASCR-I-FIELDPRO, protections (access 10, update 12) set for field AJ in file 1
1
%ADASCR-I-FIELDPRO, protections (access 10, update 12) set for field AK in file 1
1
%ADASCR-I-FIELDPRO, protections (access 10, update 12) set for field AL in file 1
1
%ADASCR-I-FIELDPRO, protections (access 7, update 9) set for field AR in file 11
%ADASCR-I-FIELDPRO, protections (access 7, update 9) set for field AS in file 11
%ADASCR-I-FIELDPRO, protections (access 7, update 9) set for field AT in file 11
%ADASCR-I-FIELDPRO, protections (access 11, update 13) set for field AX in file 1
1
%ADASCR-I-FIELDPRO, protections (access 11, update 13) set for field AY in file 1
1
%ADASCR-I-FIELDPRO, protections (access 8, update 10) set for field AZ in file 11

%ADASCR-I-SEVINS, Value criteria for file 9 added to password "09CD09CD"

%ADASCR-I-TERMINATED,   12-JAN-2017 17:17:00, elapsed time: 00:00:01

You can check the imported security settings with the DISPLAY control parameter of ADASCR:

adascr
adascr: dbid=34 display=passwords

List of defined passwords for Database 34 ("GENERAL_DATABASE")

MYSECRET

Total of 1 defined password

adascr: dbid=34 display=permissions,password=MYSECRET

password : "MYSECRET"


 FILE | ACCESS | UPDATE
-----------------------
    1 |     Y  |    Y
    2 |     Y  |    Y
    3 |     Y  |    Y
    9 |    (Y) |   (Y)
   11 |     N  |    N
   12 |    (Y) |   (Y)
   13 |    (Y) |   (Y)
   14 |     N  |    N
-----------------------

( ) Further value restrictions apply where brackets shown.


adascr: db=34 display=protections,file=(9,12,13)


FILE | ACCESS | UPDATE
-----------------------
   9 |      7 |     11
  12 |      2 |      2
  13 |      4 |      4
-----------------------

adascr: db=34 display=value_criteria,password=MYSECRET


password : "MYSECRET"

| File | Security by Value criterion
|------+----------------------------------------------------------------------
|    9 | ACCESS_CRITERION
|      |   SEARCH_BUFFER: "AZ,2,GE."
|      |   VALUE_BUFFER:  "FR"
|      | UPDATE_CRITERION
|      |   SEARCH_BUFFER: "AH,8,GE,D,AH,8,LE,D,AA,8,LE. "
|      |   VALUE_BUFFER:  "195201011952020160000000"
|   12 | ACCESS_CRITERION
|      |   SEARCH_BUFFER: "AM,3,GE."
|      |   VALUE_BUFFER:  0x33000C
|      | UPDATE_CRITERION
|      |   SEARCH_BUFFER: "AM,3,GE."
|      |   VALUE_BUFFER:  0x50000C
|   13 | ACCESS_CRITERION
|      |   SEARCH_BUFFER: "B0,GE."
|      |   VALUE_BUFFER:  0x01000000
|      | UPDATE_CRITERION
|      |   SEARCH_BUFFER: "B0,3,GE."
|      |   VALUE_BUFFER:  0xFF0201
|-----------------------------------------------------------------------------

INSERT

INSERT {=|:} string, FILE = (number[-number][,number[-number]]...)
         ,ACCESS = (number[,number]...)
         ,UPDATE = (number[,number]...)

This function inserts a password specified by 'string' into the password table.

If you specify an equals sign, the value given for 'string' will be converted to upper case; if you specify a colon, no upper-case conversion is performed.

The password may be between 1 and 8 characters long. If less than 8 characters are specified, trailing blanks are added. The password may not contain any special characters or embedded blanks.

ACCESS = (number[,number]...)

The ACCESS parameter specifies the access protection levels to be associated with the files or file ranges specified in the FILE parameter. Each protection level corresponds to one file or one file range. A value may be specified in the range 0 - 14. The protection levels must be specified in the same order as the corresponding files or file ranges in the FILE parameter.

FILE = (number[-number[,number[-number]]...)

The FILE parameter specifies the file list or range(s) of files for which permission levels are being provided. Multiple specifications of the same file number are not permitted.

UPDATE = (number[,number]...)

The UPDATE parameter specifies the update protection levels to be associated with the files or file ranges specified in the FILE parameter. Each protection level corresponds to one file or one file range. A value may be specified in the range 0 - 14. The protection levels must be specified in the same order as the corresponding files or file ranges in the FILE parameter.

Example

adascr: insert=userpwx, file=(1,2,3),
                 access=(7,7,7), update=(0,8,8)      

adascr: insert=userpwy, file=(1,2,3),                  
                 access=(7,2,2), update=(8,0,0)     

adascr: insert=userpwz, file=(1-3,5),                  
                 access=(2,3), update=(4,6)

PROTECT

PROTECT = (number[-number][,number[-number]]...)
          [,NAME = (field_name [, field_name] …)]
          ,ACCESS = (number[,number]...)
          ,UPDATE = (number[,number]...)

This function inserts (or updates) the access and/or update protection levels for the file(s) specified or for fields within a file:

  • If NAME is not specified, file protection levels are defined. Multiple specifications of the same file number are not allowed.

  • If NAME is specified, field protection levels are defined. Specifying NAME is only allowed, if a single file number has been specified. Multiple specifications of the same field name are not allowed. If the name of a group or a periodic group is specified, the specified field protection levels are set for all component fields of the group / periodic group, which are not specified themselves in the list of field names. For fields not specified explicitly or implicitly as component of a group or periodic group, the field protection levels are not changed.

  • Default for file and field protection level is access protection level 0 and update protection level 0.

ACCESS = (number[,number]...)

Values may be specified in the range 0 - 15.

  • If NAME is not specified, the UPDATE parameter specifies the update protection levels to be associated with the file(s) specified in the PROTECT parameter. Each protection level corresponds to one file or one file range. The protection levels must be specified in the same order as the corresponding files or file ranges in the PROTECT parameter. The number of values specified must be identical to the number of files or file ranges in the PROTECT parameter.

  • If NAME is specified, the UPDATE parameter specifies the update protection levels to be associated with the fields specified via NAME. Each protection level corresponds to one field name. If you set the protection level lower than that of the file, the file protection level becomes effective field protection level. The protection levels must be specified in the same order as the corresponding field names in the NAME parameter. The number of values specified must be identical to the number of field names in the NAME parameter.

Note that the maximum protection level for update for the INSERT function is 14, whereas the PROTECT function allows a maximum of 15. Therefore, with UPDATE=15, a file or field can be protected to prevent any user from updating it.

UPDATE = (number[,number]...)

Values may be specified in the range 0 - 15.

  • If NAME is not specified, the ACCESS parameter specifies the access protection levels to be associated with the file(s) specified in the PROTECT parameter. Each protection level corresponds to one file or one file range. The protection levels must be specified in the same order as the corresponding files or file ranges in the PROTECT parameter. The number of values specified must be identical to the number of files or file ranges in the PROTECT parameter.

  • If NAME is specified, the ACCESS parameter specifies the access protection levels to be associated with the fields specified via NAME. Each protection level corresponds to one field name. If you set the protection level lower than that of the file, the file protection level becomes effective field protection level. The protection levels must be specified in the same order as the corresponding field names in the NAME parameter. The number of values specified must be identical to the number of field names in the NAME parameter.

Note that the maximum protection level for access for the PROTECT function is 15, whereas the INSERT function allows a maximum of only 14. Therefore, with ACCESS=15, a file or field can be protected to prevent any user from accessing it.

Example

adascr: protect=25,access=7,update=11
adascr: protect=25,name=(AA,AB,AC),access=(6,8,7),update=(14,13,12)
adascr: protect=(1,2,3),access=(7,7,7),update=(8,8,8)
adascr: protect=(4-6),access=10,update=12

In the second example, assume that AA is an elementary field, and AB is a group consisting of elementary fields AC, AD and AE. Then the following table shows the resulting protection levels:

  Field AA Group AB
Field AC Field AD Field AE
Access protection level 6 7 8 8
Update protection level 14 12 13 13

If the file number of a security-protected file is subsequently changed as a result of running the RENUMBER function of the ADADBM utility, the PROTECT function has to be reexecuted in order to reestablish the security protection levels for the file. The passwords also have to be reestablished, since they reflect the old file number.

SECURITY_BY_VALUE

SECURITY_BY_VALUE {=|:} string, FILE = number
                    ,ACCESS_CRITERION
                    ,SEARCH_BUFFER = string *
                    ,VALUE_BUFFER = string *
                    ,UPDATE_CRITERION
                    ,SEARCH_BUFFER = string *
                    ,VALUE_BUFFER = string *

* The search/access buffer string parameters must be followed by <Newline> with no preceding comma.

This function inserts (or updates) the Security by Value criteria for a specific file, for the given password specified by `string'. The password must already have been inserted into the security file, using the INSERT function. Each password can have Security by Value criteria defined for a maximum of 99 files.

If you specify an equals sign, the value given for 'string' will be converted to upper case; if you specify a colon, no upper-case conversion is performed.

ACCESS_CRITERION

The ACCESS_CRITERION keyword must precede the search buffer and value buffer which will define the criterion for restricting access to data using the provided password.

In order for the access value criterion to be specified, the ACCESS password permission level for the file must also have previously been set (i.e. non-zero); in the case where the level is not set, the ACCESS_CRITERION keyword cannot be specified.

FILE = number

The FILE parameter specifies the file for which the value criteria are to be defined. Exactly one file must be specified and the file must be currently loaded in the database.

UPDATE_CRITERION

The UPDATE_CRITERION keyword must precede the search buffer and value buffer which will define the criterion for restricting the update of data using the provided password.

In order for the update value criterion to be specified, the UPDATE password permission level for the file must also have previously been set (i.e. non-zero); in the case where the level is not set, the UPDATE_CRITERION keyword cannot be specified.

SEARCH_BUFFER = string

The SEARCH_BUFFER parameter is used to provide the search expressions for the access/update criterion. Syntax and examples of search buffer construction are provided in Command Reference, Calling Adabas, Search and Value Buffers.

Certain restrictions apply to the search buffer when used for defining Security by Value criteria; soft coupling and sub-, super-, hyper- and phonetic descriptors are not supported.

If the required criterion is that no restrictions should apply, then the associated search buffer should be specified containing only the terminator, i.e.:

SEARCH_BUFFER = .

In this case, the VALUE_BUFFER parameter is not required and does not need to be supplied.

VALUE_BUFFER = string

The VALUE_BUFFER parameter is used to provide the corresponding values for the search expressions for the access/update value criterion, specified in the preceding search buffer. The string may be specified either directly, as an alphanumeric string or as a string using hexadecimal notation.

Example

adascr: security_by_value=fortytwo, file=10,
        access_criterion, search_buffer=CA,4,U,LT.
adascr: value_buffer=1707 
adascr: update_criterion, search_buffer=A,4,S,CA,4,D,AA,O,AA.
adascr: value_buffer=01001599MS

adascr: security_by_value=g6mon, file=3
adascr: access_criterion, search_buffer=.
adascr: update_criterion, search_buffer=AC,3.
adascr: value_buffer=HAM

If the either the access or update protection level for the specified file is zero, the associated value criterion will not be tested when the password is used for accessing/updating records for that file.