File access definition
By running an archive request that references a file access definition (FAD), you can control access to data in one or more generated archive files. The archived data is protected according to the settings in the FAD, which can be changed as the security requirements for your site change. When settings in the FAD are changed, the changes apply to previously archived data as well as to data archived in the future.
A file access definition can control access to data in specified tables and columns, or to tables and columns for which access is not granted explicitly. You define access permissions by creating an access list for a table, column, or the default. All users are allowed unlimited access to archived data to which an access list does not apply. If the FAD includes specifications for tables and columns that do not exist in an associated archive file, the security of the file is not affected.
Only roles in the access control domain (ACD) used as the basis for the FAD can be assigned explicit permissions. Any user accounts for which explicit permissions do not apply are allowed or denied access according to a default setting for the FAD.
For example, you can grant access to roles in the ACD explicitly and use the default setting to deny access to all other users. For a detailed file access definition example, see File Access Definition Example.
Permissions needed to create an FAD
To create an FAD, a user account must be a member of a role allowed the Create File Access Definition privilege in the (Default) ACD. If functional security is not enabled, a user account must be a member of a role with update access to the ACL for the (Default) ACD.
Using secured archive files
You can limit the ability of roles to process or view archived data at the level of table or column. For a restore process, members of a role can insert or update from a table and column in a secured archive file, if permitted. If the account is not permitted to access a column that affects the referential integrity of the data, e.g., a primary key, an error message is displayed in the process report.
For a delete process, only an account that is permitted access to data in a table and column in a secured archive file can delete database data from that table and column. If an account is not permitted to access a column that affects the referential integrity of the data, e.g., a primary key, an error message is displayed in the process report.
For a browse session, an account must be permitted access to data in a table and column in a secured archive file in order to browse the data.
Accounts that are denied access to data in all tables or columns in a secured archive file cannot use the file in any archive process or browse session. A message indicates that the file cannot be opened. If an archive file is associated with an FAD that does not exist, the file cannot be used to define or run a process.
Registering secured archive files
A secured archive file must have an accompanying security file in order to be registered. Using the archive maintenance facility, you can export the security information for an archive file into a security file. The security file protects the archive file by requiring a password to register the archive file. During registration, the secured archive file is associated with a new or existing FAD in the target Optim™ directory.
Use the File Access Definition Editor to create and maintain FADs. You can open the ACL for an FAD from this dialog or from the File Access Definitions dialog.