SAS/ACCESS Interface to IMS-DL/I Software

Ensuring Data Security

This section describes how to prevent unauthorized access to the data in your IMS-DL/I databases.

IMS-DL/I Security

The SAS System preserves the data security that is provided by IMS-DL/I and the operating system. The Database Administrator (DBA) has control over who has access to an IMS-DL/I database. A user cannot use IMS-DL/I facilities through the ACCESS procedure or the SAS/ACCESS interface view engine unless the PSB specified provides that user with the appropriate IMS-DL/I authority. The PSB determines if a user can access an IMS-DL/I database and, if so, the kind of access the user has to the database (Get, Insert, Replace, Delete, or All).

In addition to controlling access to an IMS-DL/I database, the PSB can also control access to specific segments and fields in the database. To control access to a specific database, the DBA can create several view descriptors that describe the same data in the database, and assign each view descriptor a different PSB. Each PSB should define a different type of access to the database. For example, one PSB would allow a user to insert data in the database and another PSB would allow a user only to read the data in that same database. This enables the DBA to provide each user with a PSB that defines the type of database access the DBA wants to allow that user. Each segment in a view descriptor must be specified in the PSB referenced in the view.

SAS System Security

To secure data from accidental update or deletion, you can do the following on the SAS System side of the interface:

Set up all SAS/ACCESS access descriptors yourself, dropping items that contain sensitive data so they cannot be referenced in view descriptors. Give users either read-only or no access to the SAS data library where you store the access descriptors. Read-only access prevents users from editing access descriptors and allows them to see only the items selected for each view descriptor.
Set the IMSDLUPD= or IMSBPUPD= SAS system options to N to disable all updates from the SAS System for a particular region type.
Assign SAS system passwords (READ, WRITE, ALTER, or PW) to a view descriptor, access descriptor, PROC SQL view, DATA step view, or data file.
Using passwords adds an extra measure of security if you use view descriptors that include sensitive or confidential data in a shared environment (that is, where SAS/SHARE software is in use). For more information on assigning passwords, see SAS System Passwords for SAS/ACCESS Descriptors.

Chapter Contents
Previous
Next
Top of Page