Checking Verb Security

Defining a Database Using Non-SQL › Security Checking › Checking Verb Security

Checking Verb Security

The schema and subschema compilers check verb security whenever a SCHEMA statement (schema compiler only) or SUBSCHEMA statement (subschema compiler only) is issued. Note that verb security is not checked for each component of a schema or subschema. Once a user passes security for a schema or a subschema, all of its components are available to the user.

Turning Verb Security On or Off

Verb security is turned on or off through the IDD DDDL statement, SET OPTIONS FOR DICTIONARY SECURITY FOR IDMS IS ON/OFF.

Note: This IDD DDDL statement also turns compiler security on or off; verb security and compiler security cannot be set independently.

Determining Who is Issuing the Statement

To determine who is issuing the SCHEMA or SUBSCHEMA statement, the compiler looks at four areas; if any area contains the name of an authorized user, security is satisfied and the compiler processes the request:

The SCHEMA or SUBSCHEMA statement PREPARED BY clause
The SCHEMA or SUBSCHEMA statement REVISED BY clause
The current session option for PREPARED BY
The current session option for REVISED BY

Note: If user signon override is not allowed, the user issuing the statement is always assumed to be the user known to the execution environment. PREPARED BY and REVISED BY user specifications are ignored.

An authorized user, for this function, is one whose description in the dictionary includes authority to issue the verb specified in the SCHEMA or SUBSCHEMA statement, in conjunction with the authority to use the compiler. Verb authority is assigned through IDD DDDL USER statements, such as those in the following examples:

ADD USER NAME IS KCO                 assigns authority to use all
    AUTHORITY FOR UPDATE             verbs in each DDL compiler
      IS IDMS.

ADD USER NAME IS BAC                 assigns authority to use MODIFY,
    AUTHORITY FOR MODIFY             DISPLAY, and PUNCH in each DDL
      IS IDMS.                       compiler

ADD USER NAME IS TWG                 assigns authority to use DELETE,
    AUTHORITY FOR DELETE             DISPLAY, and PUNCH in the schema
      IS SCHEMA.                     compiler only

ADD USER NAME IS JFD                 assigns authority to use DISPLAY
    AUTHORITY FOR DISPLAY            and PUNCH in the schema compiler
      IS SCHEMA.                     only

While schema authority only allows the user to access the schema compiler, any subschema updates resulting from authorized schema updates are allowed (for example, deleting a set from the schema causes the set to be deleted from the subschemas associated with that schema).

Note: For more information about assigning verb authority, see the CA IDMS IDD DDDL Reference Guide.