File Security

On a database management system, most security issues revolve around protecting valuable data from unauthorized use or modification. In this section we look at the various ways that the mvBase system allows application developers to protect the data stored on the system through progressive levels of file security:.

First level

Prevents unauthorized users from gaining access to an account. The logon process requires users to specify an account name and, usually, a password. The use of secure passwords is the best way to limit access by users and therefore restrict file access. The account name and password are specified in an Account Definition item in the SYSTEM Dictionary.

Second level

Restricts user access to TCL, which prevents them from using the commands that access files. A Logon Proc in the user’s account makes it possible to invoke an application program upon successful logon. Also, if Attribute 9 of the user’s Account Definition item specifies a T, then the user is denied access to TCL whenever an application would normally return control to the TCL. This is contingent upon the existence of a Proc named account-name@TCL in the Master Dictionary or one named @TCL in the ERRMSG file.

Third level

Establishes four system privilege levels, from zero to three, with SYS3 being free from restrictions.

  • SYS0 permits users to access files in an account but not to create or delete them. SYS0 users cannot modify the Master Dictionary.

  • SYS1 and SYS2 permit updating of files, but SYS1 users cannot access the system debugger.

  • SYS3 is the top privilege level, typically used by the administrator, and overrides any other form of protection such as retrieval and update codes (as explained below). SYSPROG gives SYS3 privileges automatically; it is recommended that access to the SYSPROG account be given sparingly.

Fourth level

Segregates files properly in accounts. The D-pointers in an account should be limited to only those files needed by the users of the account. The ability to create Q-pointers should be disabled in accounts where it is necessary to restrict access to files outside the account. The removal of the Editor commands and the SET-FILE command from the account will ensure that users cannot create Q-pointers to access remote files. For instance, an application developer might determine that files in the PERSONNEL account or PAYROLL account should not be available to users of the general STAFF account.

Fifth level

Accomplished by retrieval and update codes, which can be specified in File Definition items. These codes can restrict file access among users of the same account as well as files that are available to many accounts.

Retrieval and Update Codes

Retrieval and update codes amount to setting up permissions on reading the contents of a file and modifying the file. The retrieval and update codes themselves must be established and used consistently on each system. The codes can be any string of ASCII characters. Retrieval codes are placed in Attribute 5 and update codes are placed in Attribute 6 of the following items:

Multiple codes separated by value marks can be specified for an Account Definition item. Retrieval and update codes can be specified in the Account Definition item during the CREATE-ACCOUNT procedure. If no code is specified, no retrieval or update checking is performed. They can also be added or modified for any item using the Editor. It is recommended that you modify the retrieval and update codes only when no one else is logged on to the system.

Placing a code in a file dictionary pointer protects the data file but not the dictionary itself. If a code is placed in the Master Dictionary, access to both the dictionary and the data file is restricted. Retrieval and update permissions are determined by comparing the code specified in the user’s Account Definition item to the code in the File Definition item of the file being accessed. For a match to occur, the code specified in the File Definition item must be identical to the initial substring of any value specified in the code of the Account Definition item. For instance, a File Definition item with a code of 12 would match an Account Definition item with a code of 123.

To access a file in the account, the retrieval code for the file must match any value in the retrieval code in the user’s Account Definition item. To update a file, the retrieval codes must match, and then the update code of the file must match any value in the update code for the Account Definition item.

If a file is in a different account, retrieval and update codes specified in the remote account’s Account Definition item are compared to the codes specified in the user’s Account Definition item. For a match to occur, the first value of the code for the remote account must match any value specified for the user’s account.

The following processors update files and thus require a match for both the retrieval code and the update code:

If a match does not succeed, the processor will not continue, displaying the message that the file is access protected. mvBASIC requires a match of the retrieval and update codes to open a file.

A fairly simple four-tiered scheme could be established using the string 1234. Each user could be classified as either 1 (the lowest permission level), 12, 123, or 1234 (the highest permission level). All files would be classified using the same set of codes. Thus, a file containing a retrieval code of 123 could be read only by users who have a retrieval code of 123 or 1234.

Similarly, a user with any of the four codes could access a file with a code of 1. More examples are shown below.

File Dictionary Code

User Identification Code

Result

123

123

Match

12

123

Match

123

12

No Match

XYZ

XYZ5

Match

AQ2

AO

No Match

See Also

Managing Files

Overview of File Management Commands

File Synonyms

File Maintenance

Backup and Restoration