Previous Topic: Checking Verb SecurityNext Topic: Establishing Schema and Subschema Currency

Defining a Database Using Non-SQLSecurity CheckingChecking Component Security

Checking Component Security

The schema compiler checks the security of a specific schema whenever a SCHEMA statement (other than ADD SCHEMA) is issued for that schema; the subschema compiler checks security of a specific subschema whenever a SUBSCHEMA statement (other than ADD SUBSCHEMA) is issued for that subschema. Note that this security is not checked for each component of a schema or subschema. Once a user passes security for a schema or a subschema, all of its components are available to the user. Component security applies to every existing schema and subschema, regardless of whether compiler security is on.

PUBLIC ACCESS Clause

Security for a specific schema or subschema is set through the PUBLIC ACCESS clause of the SCHEMA or SUBSCHEMA statement. A schema or subschema is said to be unsecured if PUBLIC ACCESS IS ALLOWED FOR ALL is in effect; any other public access specification places some level of security on the schema or subschema.

Examples

The following examples show how component security is set:

MOD SCHEMA EMPSCHM                      turns off security for EMPSCHM
    PUBLIC ACCESS IS ALLOWED
      FOR ALL.

MOD SUBSCHEMA EMPSS01                   turns on security for all verbs
    OF SCHEMA EMPSCHM                   issued against EMPSS01
    USER IS JFD
      REGISTERED FOR ALL
    PUBLIC ACCESS IS ALLOWED
      FOR NONE.

MOD SUBSCHEMA EMPSS02                   turns off security for DISPLAY
    OF SCHEMA EMPSCHM                   EMPSS02 and PUNCH EMPSS02;
    USER IS LSB                         turns on security for all other
      REGISTERED FOR ALL                verbs issued against EMPSS02
    PUBLIC ACCESS IS ALLOWED
      FOR DISPLAY.

Authorized Users

An authorized user for a specific schema or subschema is one whose association with the schema or subschema includes the verb used in the SCHEMA or SUBSCHEMA statement being processed. This authority is assigned through the REGISTERED FOR subclause of the USER clause in a previously-issued SCHEMA or SUBSCHEMA statement, as shown in the following examples:

ADD SUBSCHEMA NAME IS EMPSS01           assigns authority to KCO to
    USER NAME IS KCO                    use all verbs against EMPSS01
      REGISTERED FOR ALL.

ADD SUBSCHEMA NAME IS EMPSS02           assigns authority to WXE to
    USER NAME IS WXE                    access EMPSS02 with only those
      REGISTERED FOR PUBLIC ACCESS.     verbs specified in EMPSS02's
                                        PUBLIC ACCESS clause

ADD SCHEMA NAME IS EMPSCHM              assigns authority to ILI to
    USER NAME IS ILI                    DISPLAY and PUNCH EMPSCHM
      REGISTERED FOR DISPLAY.

Note: For more information about PUBLIC ACCESS and USER clauses, see "SCHEMA statement" in "SCHEMA statement" in Chapter 14, “Schema Statements".