Retrieval and Update Lock Codes and Keys
Retrieval and update lock codes can be assigned to files to prevent unauthorised access.
Retrieval and update lock codes consist of ASCII character strings in attributes 5 and 6 respectively of account and file definition items. In account definition items only, these can be multivalued. The locking mechanism is based on string matching. A user can only update/retrieve data from a file if at least one of the update/retrieval codes assigned to that user matches the update/retrieval code of the targeted file.
Entering lock codes and keys
Lock codes and keys can be entered as follows:
-
By using CREATE-ACCOUNT.
Codes and keys are prompted for and entered in the account (or account synonym) definition item as detailed later in this topic.
-
By editing attributes 5 and 6 of an account definition item or account synonym definition item from SYSMAN or SYSPROG.
This procedure is used to add to or change the lock code and keys of an account subsequent to its creation.
-
By using SSM, retrieval and update keys can be assigned to a user's profile.
If any are present, they completely supersede any that would otherwise be supplied via an account or account synonym definition item.
-
By editing attributes 5 and 6 of a file definition item or file synonym definition item.
This procedure is used to create, add to, or change the lock codes of a file.
Account and user locks and keys
One or more retrieval and update code strings can be assigned to an account. Each code string is separated from the next by a value mark (entered as CTRL+], hex value FD).
Retrieval codes are contained in attribute 5 of the account definition item. The first retrieval code acts both as a lock for the whole account and as a key for accessing files. Further codes act just as keys for accessing files, unless retrieval or update keys are assigned via the user's profile, in which case none of the account's keys are used by that user.
Update codes are contained in attribute 6 of the account definition item. The first code acts both as a lock for the account's Master Dictionary (MD) and as a key for accessing files. Further codes act just as keys for accessing files, unless retrieval or update keys are assigned via the user's profile, in which case none of the account's keys are used by that user.
Update locks always apply just to the file referenced by the D-pointer they are included in. For this reason, an update lock in an account definition item locks the associated account's MD against unauthorised update, but does not protect other files in the account.
To obtain access from one account to another, the user must have at least one key that matches the first retrieval code shown in the second account's (D-pointer) definition item.
Retrieval and update keys in account synonym definition items do not function as locks, unless a Q-pointer actually shows the synonym account name, in which case the first retrieval code functions as a lock on that account (in addition to any lock set on its D-pointer definition item).
File locks
Only the first values in file definition item attributes 5 (retrieval) and 6 (update) function as locks. Further multivalues in these attributes have no significance to the system. Retrieval locks in Q-pointers (file synonym definition items) are effective but update locks are ignored (update locks in D-pointers only are effective, and only for the file defined by the D-pointer).
Code comparison
Reality compares the ASCII values in each code beginning from the left and continuing to the right, until either a mismatch is found or the end of the character string is reached. The last character before a value mark is considered the end of a string. If the matching key of the accessing user has more characters than the lock code for the targeted account or file, access is allowed because the matching routine ignores any additional characters in the 'key'.
Sample code comparison
Assume that the accessing account's code is 1234, and the targeted file's code is 123, the accessing account is allowed access to the data. The following table shows some more examples.
|
Targeted Acct/File Code |
Accessing User's Code |
Result |
|---|---|---|
|
123 |
XX]123 |
match |
|
12 |
123 |
match |
|
123 |
12 |
no match |
|
XYZ |
XYZ5 |
match |
|
AQ2 |
AQ |
no match |
Lock and key
The first value in attribute 5 of an account definition item is a retrieval lock for that account that prevents users (without a matching key) from accessing the MD of the account, or any of the dictionary or data section files physically defined (via D-pointers) from that account. Similarly, a retrieval lock set in a dictionary D-pointer also protects any data sections defined from that dictionary. The first value in attribute 5, and any subsequent values in the same attribute, also act as retrieval keys for users logged-on to the account, unless those users have keys assigned via their user profile, which then supersede the account's keys.
The first value in attribute 6 of an account definition item acts as an update lock for the account's MD, but does not lock any of its files. Each file requires an update lock in its defining D-pointer for update protection. Further values can function as additional keys, as described for retrieval keys.
For example, account 'A' has the following values in attributes 5 and 6:
005 XYZ]RET
006 UPD
The value XYZ in attribute 5 is a lock for account A's MD and a key to access files. The string RET acts just as a further key for file access. However, if any keys are defined via the user's profile, the account's keys are not used.
The file definition item in account 'B' has the following values in attributes 5 and 6:
005 XYZ
006 UPD
The file definition item in account 'C' has the following values in attributes 5 and 6:
005 RET
006 UPD
Assuming the user does not have keys in the associated profile, Reality checks the values in account A's account definition item and finds the matching keys to the locks in the file definition item in account B or C. Therefore, account A can access the files in either account B or C.
If the user's keys or the key(s) in the account definition item do not match the lock codes in the file definition item, access is denied and the following message is displayed:
[210] FILE 'file-name' is access protected
Retrieval codes/keys function similarly for account and file synonym definition items. Update lock codes only function as locks when in file D-pointers.
Sample update and retrieval lock codes
Assume an Accounts Payable file (ACC-PAY) and an Accounts Receivable file (ACC-REC) in a SALES account. George and Jane have their own accounts. George is allowed to update the ACC-REC file and Jane the ACC-PAY file. To give access to these files, you can set up codes (shown in bold print) as follows:
|
|
|
|
|
|
Alternatively, you can set up account synonym definition items for George and Jane or you can assign keys to them via their user profiles.