It is possible to set up password protection for the records and attributes of CALL DML tables. You can use a password to limit access to:
specific records in a table
specific attributes
a specific access mode.
The password and information on its access authorization are contained in the password catalog. In the application program, you enter the password in the first three bytes of CALL DML statements.
The CALL DML password-protection concept makes it possible to have hierarchically structured password protection.
It makes sense to assign passwords that apply to a related set of activities: A single password should allow users to carry out all the operations involved in a UTM conversation or a transaction, for example.
You should also note that to execute JOIN operations, read authorization is required for the JOIN attributes of the relevant tables. Access is only possible via the passwords of the tables involved.
Access protection for the records in a table
Each record in a table is identified by a primary-key value.
The access authorization of a password can be assigned for the access modes read, update and delete.
Each access mode is exclusive. Nevertheless, all possible combinations of the different access modes are permitted.
The authorization provided by a password can apply to:
specific records or groups of records in a table
all the records in a table
all the records in a table with the exception of specific records or groups of records
If, in the “read/update” or “read and update” access modes, the password is to provide full access to all the table records to which it applies (i.e. to all the attributes of each record), it must be assigned global attribute authorization for these access modes. Delete authorization refers only to table records. It also applies in the case of attribute restrictions.
Examples
Record access authorization for the read access mode:
The table COMPANY contains the attributes PERSNO, PNAME, PFNAM, PSTR, PZIP, PCITY, PBTHDAT, PDEPT, PLANG and PSAL.
The PERSNO attribute has been defined as the primary key.
The password XX1 has read authorization for the table records with the primary-key values 013751 and 234781. The password XX1 also has global read authorization for all the table's attributes.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | read | read | read | read | read |
018392 | |||||||||
111111 | |||||||||
234781 | read | read | read | read | read | read | read | read | read |
333333 | |||||||||
. | |||||||||
673241 |
Table 43: Read authorization for the password XX1 (read/bold).
The password XX2 has read authorization for all the table records except those with the primary-key values 111111 and 333333. The password XX2 also has global read authorization for all the table's attributes.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | read | read | read | read | read |
018392 | read | read | read | read | read | read | read | read | read |
111111 | |||||||||
234781 | read | read | read | read | read | read | read | read | read |
333333 | |||||||||
. nnnnnn | read | read | read | read | read | read | read | read | read |
673241 | read | read | read | read | read | read | read | read | read |
Table 44: Read authorization for the password XX2 (read/bold).
Access protection for attributes
The access authorization of a password can be restricted to the access modes read and update.
There is no hierarchical relationship between these two access modes; in other words, update authorization does not include read authorization, and vice versa. However, you can assign a password both types of authorization at the same time.
The authorization provided by a password can apply to:
specific attributes or ranges of attributes
all the attributes in the table
all the attributes in the table with the exception of selected attributes or ranges of attributes
The primary key has a special role in the assignment of attribute authorization. Since primary-key values identify table records, the primary key is not subject to access protection for attributes. To ensure that the attribute authorization of a password also applies to the primary key in a specific access mode, the password must also be assigned global record authorization for this access mode.
Examples
The access authorization for attributes in the read access mode:
The password XX3 has read authorization for the attributes PNAME, PFNAM, PZIP and PCITY and for all the table's records.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | |||||
018392 | read | read | read | read | |||||
111111 | read | read | read | read | |||||
234781 | read | read | read | read | |||||
333333 | read | read | read | read | |||||
. nnnnnn | read | read | read | read | |||||
673241 | read | read | read | read |
Table 45: Read authorization for the password XX3 (read/bold)
The password XX4 has read authorization for all attributes except PBTHDAT and PSAL. The password XX4 also has global read authorization for all the table's records.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | read | read | read | ||
018392 | read | read | read | read | read | read | read | ||
111111 | read | read | read | read | read | read | read | ||
234781 | read | read | read | read | read | read | read | ||
333333 | read | read | read | read | read | read | read | ||
. . | read | read | read | read | read | read | read | ||
673241 | read | read | read | read | read | read | read |
Table 46: Read authorization for the password XX4 (read/bold)
Combined access protection for records and attributes of a table
You can use a single password to assign access authorization for both records and attributes. You can impose restrictions on record and attribute access that apply to the individual access modes independently of each other. Note, however, that restrictions on record and attribute access in the same access mode overlap.
Examples
Combined access protection in the read access mode:
The password XX5 has read authorization for the attributes PNAME, PFNAM, PZIP and PCITY. The password XX5 also has read authorization for table records with the primary-key values 013751 and 234781.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | |||||
018392 | |||||||||
111111 | |||||||||
234781 | read | read | read | read | |||||
333333 | |||||||||
. | |||||||||
673241 |
Table 47: Read authorization for the password XX5 (read/bold)
The password XX6 has read authorization for all attributes in the table except for PBTHDAT and PSAL. The password XX6 also has read authorization for all the records in the table except for the records with the primary-key values 111111 and 333333.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | read | read | read | ||
018392 | read | read | read | read | read | read | read | ||
111111 | |||||||||
234781 | read | read | read | read | read | read | read | ||
333333 | |||||||||
. nnnnnn | read | read | read | read | read | read | read | ||
673241 | read | read | read | read | read | read | read |
Table 48: Read authorization for the password XX6 ((read/bold)
The password XX7 has read authorization for the attributes PNAME, PFNAM, PZIP and PCITY. The password XX7 also has read authorization for all the table's records except the one with the primary-key value 111111.
PERSNO | PNAME | PFNAM | PSTR | PZIP | PCITY | PBTHDAT | PDEPT | PLANG | PSAL |
013751 | read | read | read | read | |||||
018392 | read | read | read | read | |||||
111111 | |||||||||
234781 | read | read | read | read | |||||
333333 | read | read | read | read | |||||
. . | read | read | read | read | |||||
673241 | read | read | read | read |
Table 49: Read authorization for the password XX7 (read/bold)