Applying Database Administrator Security
In this section: How to: Reference: |
You can secure Master Files on a file-by-file basis.
For each data source, security can be maintained at two different
levels.
-
Database Administrator Level. You
specify the Database Administrator (DBA) password for the data source.
The DBA has unlimited access to the Master File and data source
and can set up or change security restrictions for individual users. Only the Database Administrator can encrypt
(scramble) or decrypt (unscramble) a data source. For more information,
see Encrypting and Decrypting a Master File.
-
User Level. You
specify the DBA and user passwords for the data source. The user
password represents a user who has access to that data source. When
you specify a user password, you must also set at least the type
of file access: read, write, read/write, or update. Security for
each user can be further limited by restricting access to segments,
fields, or field values. For more information, see Restricting Access to Segments, Fields, Field Values, and Noprint. Once a user
password has been established, you can apply the same restrictions
to multiple users. For more information, see Applying Security Restrictions for Multiple Users.
Note: You cannot specify a Database Administrator (DBA)
password during the Create Synonym process. You must use the Synonym
Editor.
When security is specified, the Database Administrator or user,
must enter a password to get access to the data source. When the
DBA or user no longer needs access to the data source, you can delete
their security.
Before adding any type of security to a data source, the Database
Administrator must be aware of certain DBA guidelines. See DBA Guidelines.
x
Procedure: How to Set Up Security for the Database Administrator
-
In the Synonym Editor, click DBA from the Tools menu
or click the DBA
button
from the Synonym toolbar.
The DBA
pane opens in the workspace, as shown in the following image.
-
Right-click
the file name in the DBA window and select Insert,
then DBA.
A default DBA password will be created for the Master
File. You can change this value, delete it, add users to specify
file restrictions, or add file names to specify data source-specific
restrictions to the current data source. You can also specify a separate
DBA file that contains DBA security restrictions.
Note: When
the password is created and the cursor is in that field, you can
right-click and use the edit options to undo, select all, cut, copy,
paste, or delete the password.
x
Procedure: How to Set Up Security for the User
-
In the DBA pane, right-click the DBA
icon to insert user restrictions or specify a DBA file.
-
Once you
add a user you can continue to insert file access restrictions by
right-clicking the user field and selecting insert.
-
Select the
type of access: Read, Write, Read/Write, or Update.
-
Specify
the type of restriction for each option: Restriction to Field, Value,
Segment, Noprint, or Same Restriction.
Note: The Same Restriction option is activated
when there are multiple users.
-
Click OK to
save the Master File with the user password and restrictions.
x
Reference: DBA Guidelines
You
can ensure that the security restrictions you place on Master Files
are correct by adhering to the following guidelines:
- Every file
with access limits must have a DBA password.
- No segment,
field, or field value restrictions may be specified at the Database Administrator
level. The Database Administrator should have unlimited access to
the data source and all cross-referenced data sources.
- Once security
restrictions have been applied, the Database Administrator should conduct
thorough testing of every restriction before the data source is
used. It is particularly important to check field values to make
sure they do not contain errors. If they are in error, user access
to the field data will be unnecessarily restricted.
- All groups
of cross-referenced data sources must have the same security restrictions.
- You must have a DBA password to encrypt
and decrypt or restrict existing data sources.
- The Database
Administrator can change any type of security restriction.
- Access levels
affect the fields users can access. The Database Administrator must consider
what commands each user will need. If a user does not have access
rights, that user will receive a message.
x
The
following options are available from the DBA pane when the DBA password
is selected.
-
DBA password
-
By default, the DBA password is the same as the user ID used
to connect to the reporting server. Using the Rename option from
the DBA password Context menu, you may enter a different password
of up to sixty-four characters. This is the password of the DBA
who will be creating and maintaining the current data source. The DBA has full access to the data source
and the corresponding Master File, controls the access rights of
other users, and has encryption privileges. See Encrypting and Decrypting a Master File.
-
DBAFILE
-
Select the name of the Master File that contains your DBA
security restrictions. Other Master Files can use the DBA security
restrictions in this Master File.
-
Insert Filename
-
Enter the name of the Master File to which user security
will be applied. This option is used to add data source-specific
restrictions to the current data source. It includes a FILENAME
attribute for the selected Master File. The FILENAME attribute in the
referenced Master File must be the same as the FILENAME attribute
in the DBA section of the current data source.
-
Insert Users
-
Enter the names (up to sixty-four characters) of users whose
access rights will be granted for the current data source.
-
File Access
-
For user access, select one of the following options:
- Choose Read for
full viewing rights.
- Choose WRITE to
permit additions or changes to the data source.
- Choose READ/WRITE for
both of the above.
- Choose UPDATE to
permit changes to field values.
-
Restrictions: Segment, Field, Value, Noprint, Same
-
When the file access is selected, continue to select the
type of restriction you wish to apply.
- Choose Segment to
grant access to all or individual segments.
- Choose Field to
grant access to all or individual fields.
- Choose Value to
limit access to values that meet a test condition. See Restricting Access to Segments, Fields, Field Values, and Noprint.
- Choose Noprint to
specify fields you do not want to display in a report.
- Choose Same to
apply the same restrictions as other users that are already set
up.
-
Access Restrictions
-
-
User. Is the
user name written to the Master File.
-
Name. Is the
name of the Master File component selected (for example, the segment
or field name).
-
Access. Is
the type of access restriction.
-
Restrict. Is
an option for File access restriction.
-
Value. Is
the value for which to restrict access.
xSelecting the Type of Access
When you assign a user password, the type of file
access and access restrictions options are available.
You must specify at least the type of access the user is permitted
to have for the data source. The type of file access can be specified
in the File Access group on the DBA pane. In this group, there are
four file access options:
-
Read. Allows
the user only to read (to view) the data source.
-
WRITE. Allows
the user only to write (add or to make changes) to the data source.
-
READ/WRITE. Allows
the user to read and write to the data source.
-
UPDATE. Allows
the user to update (make changes to) existing field values.
The type of file access determines what a user can do to the
entire data source:
xRestricting Access to Segments, Fields, Field Values, and Noprint
You can restrict access to segments, fields, field values,
and Noprint fields in a Master File by specifying access restrictions
for a user. When you specify what is to be restricted, such as segment,
field, or value, you can then specify the type of access that will be
restricted.
Right-click the file access restriction and select the Segment, Field,
or Value, or Noprint option
from the Context menu.
-
Segment. You
specify the type of access for individual segments, as shown in
the following image.
The
following image illustrates how a user can change a segment name.
-
Field. You
specify the type of access for individual fields.
-
Value. You
specify the type of access (read or write) and the test condition.
The user is restricted to using only those values that satisfy the
test condition.
The following image illustrates how to change
a field name used in a value field.
The
following image illustrates how to create a condition. This dialog
box is presented after pressing the ellipsis next to the value field.
-
Noprint. You
can also specify not to display the data in that field using Noprint.
If you specify Noprint for a field, the data will appear as blanks
for alphanumeric format or zeros for numeric format whenever the
user tries to retrieve it.
xApplying Security Restrictions for Multiple Users
You can specify restrictions for one user and apply
the same restrictions to other users. This helps when you want to
set the same restrictions for a group of users.
x
Procedure: How to Apply Previously Defined Restrictions to Another User
-
In the DBA
pane, right-click the DBA password and select Insert,
then User.
-
Right-click
the newly added user and select Insert to
specify the desired type of access restriction you would like to
apply.
Available access types are Write Access, Read/Write
Access, and Update Access.
-
Right-click
an access type and select Insert, then Same
Restriction.
Note: The Same Restriction option is only
available when there are multiple users. A drop-down combo box is
activated in the Properties pane with a NAME attribute.
-
Click
the arrow on the drop-down combo box next to the NAME attribute in
the Properties pane, and then select the user with the security
restrictions that would apply to the new user.
Security restrictions from the user selected in the
drop-down combo box are applied to the new user. You can apply the
security restrictions to other users by repeating steps 1 to 4.
Note: You
must have created at least one user security restriction to apply security
restrictions to multiple users.
xDeleting a DBA or User Password
You can delete a DBA password or security for a user
when it is no longer needed.
x
Procedure: How to Delete a User Password
-
On
the DBA pane, select the user password you wish to delete.
-
Right-click
and select Delete or press Delete on
the keyboard.
If you
delete the user based upon whom you have assigned security restrictions
for other users, you must reset security restrictions for all users
attached to the user you deleted.
x
Procedure: How to Delete a DBA Password
Deleting
a DBA password will delete all user security for that data source.
On
the DBA pane select the DBA password, then right-click and select Delete or
press Delete on the keyboard.
All security
information is removed.
xEncrypting and Decrypting a Master File
You may use the Encrypt and Decrypt attributes from
the Synonym Editor to scramble and unscramble some or all of the
contents of a data source. When you encrypt Master Files, they are
secure from unauthorized examination.
Encryption at the data source level scrambles the entire contents
of that Master File so it is unreadable. When you encrypt a Master
File, you can decrypt it. Decrypting unscrambles the contents to
its readable state.
Before you can encrypt or decrypt any Master File, you must specify
the DBA password. If you do not specify a DBA password, you will
not be able to encrypt or decrypt the file.
x
Procedure: How to Encrypt a Master File
-
In the
Synonym Editor, select DBA from the Tools
menu or click the DBA
button
from the Synonym toolbar.
The DBA pane opens.
-
Create
and save the Master File with the DBA password.
-
From
the Synonym Editor Field View tab, select a segment from the Master
File hierarchy (left pane).
The values for the selected segment appear in the Properties
pane on the right.
-
Select
the ENCRYPT check box.
-
Click Save from
the File menu to encrypt the Master File.
x
Procedure: How to Decrypt a Master File
-
At the
encrypted segment level in the Master File hierarchy, clear the ENCRYPT attribute.
-
Click Save from
the File menu to decrypt the Master File.