UniAccess
WHITE PAPERS
LAST UPDATED: Dec. 28, 2004
Applied Information Sciences
UniAccess Security Options
There are various methods of utilizing security in the UniAccess for OS 2200 environment. This
document discusses both client-based security and server-based security.
Client-Based Security ...................................................................................................................1
Operating System Security ........................................................................................................1
Application Security ..................................................................................................................2
Open Client/ODBC Security .....................................................................................................2
Server-Based Security...................................................................................................................3
Operating System - Unisys OS 2200 Security ...........................................................................3
Local Security - Logon/Logoff Transactions ............................................................................3
UniAccess User Validation .......................................................................................................4
Application Security ..................................................................................................................4
Database Security RDMS 2200 Security ..................................................................................4
References .....................................................................................................................................5
Client-Based Security
Operating System Security
The level of security provided by the operating system is dependent upon the
platform. Microsoft Windows 98, Windows Millennium Edition, Windows NT, Windows
2000, Windows XP, and Windows Server 2003 can be configured to provide various
levels of operating system security.
Windows NT, Windows 2000, Windows XP, Windows Server 2003, and follow-on
systems provide file security using the NTFS file system. Applications using the
UniAccess ODBC driver must be granted access to the executable code and to
the TEMP directory, which is used to store a temporary file used by the driver. A
given system may have multiple TEMP directories. The location of the TEMP
directory is specified via environment variables. Typical end user ODBC
applications (e.g., Microsoft Access) run in the user’s context and generally will
have access to the TEMP directory. Middle-tier applications (e.g., web based
applications using IIS) generally run in the context of the IIS service and generally
Applied Information Sciences
1
will not have access to the SYSTEM TEMP directory by default.
Applications using the UniAccess ODBC driver will require access to the following
directories.
Folder
Required
Permission
Comments
Directory pointed to by system
variable “Temp”
Read/Write/Delete Location used by UniAccess Driver
to generate config file.
C:\Program Files\Applied
Information Sciences\UA9R2\dll\
Read/Execute
For UniAccess driver DLLs loaded by
the web application.
In addition, ODBC applications using a DSN must also have access to the DSN.
All users of a system will have access to SYSTEM DSNs. The owner of a USER
DSN will be the only user granted permission to use that DSN. Access to file
DSNs is controlled by access to the underlying file.
The UADTC service must be configured to use a valid logon account, when
distributed transactions are initiated using the UADTC service.
Note:
The installation of the UniAccess ODBC driver does not change the
security of the TEMP directory nor allow access to the UniAccess
ODBC driver executable code by anyone other than the installer and
administrators. If access to these files is required, the security of the
directories should be modified.
Application Security
The level of security provided by the application is unique to each application’s
implementation. A number of ODBC, ODBC.Net, OLE DB, ADO, and ADO.Net
applications include application-level security and user control. Some of the common
restrictions implemented at this level are:




Restrict a user to a subset of functionality
Limit the tables, views, or columns that can be viewed
Limit the volume of data that is returned
Limit the time allowed to process a request.
Open Client/ODBC Security
Both the Open Client interface and the ODBC interface provide for user identification via
user ID and password. The user ID and password are forwarded for authentication.
Server-Based Security
Operating System - Unisys OS 2200 Security
TIP Session Control is a configurable option of OS 2200. If TIP Session Control is
configured:
1. The UniAccess Communications Server (UACS) will open a TIP session with
the operating system as part of establishing the client connection. UACS passes the
user ID and password directly to the operating system for validation. If the
operating system rejects the request to open a TIP session, the client connection
will be rejected.
2. All of the Unisys OS 2200 and RDMS 2200 security features can be utilized. UniAccess does
not impose any special constraints upon the security environment.
3. The security officer establishes a security record for each end user of the transaction
system. A user security record specifies a set of attributes that determines how each end
user can use the transaction system.
TIP Session Control can be used with or without any of the other security interfaces.
Local Security - Logon/Logoff Transactions
UniAccess provides an optional Security API. The Security API can be used to interface to
local, or third party security packages. The UniAccess Security API calls a specified logon
transaction when a client application connects to the server. UACS passes the user ID, the
password, and the PID used for the session to the logon transaction. The Security API can also be
configured to call a logoff transaction when the client disconnects.
The UniAccess Security API has provisions to allow the local security application to:





accept a logon request
deny a logon request
indicate that the password has expired
deny an individual transaction request
indicate that the session has timed out.
If both TIP Session Control and the Security API are in use, the TIP session will be
established before the logon transaction is called.
The Security API can be used with or without any of the other security interfaces.
Applied Information Sciences
2
UniAccess User Validation
UniAccess provides configuration options for UACS to validate the user ID.
The security related items that can be configured on a user-by-user basis with UACS user
validation are:






Validate that the user ID passed on the client connect request is configured in the
UniAccess Configuration File.
Allow or restrict the ability to update the database via UARS.
Allow or restrict the ability to change their default database via UARS or UAHS.
Control the communications server used by a UniAccess Transaction Client.
Limit the number of rows returned by UARS.
Allow or restrict user defined transactions (i.e., BEGIN TRAN).
UniAccess User Validations can be used with or without any of the other security interfaces.
Application Security
The UniAccess Server Library provides customer- written applications with the user ID and
password. These may be utilized within the application to provide application specific security.
Database Security RDMS 2200 Security
RDMS 2200 security is always used by UARS. RDMS security is not in effect for user written
transactions when TIP Session Control is not configured.
Some of the features of RDMS are:
Access is controlled based on user ID. If TIP Session Control is active, the user ID
has been validated by the operating system.
 Access control for tables in both owned schemas and unowned schemas is
available.
 Access control can be configured at a view level. This means that the user can access
the data visible within the view, but cannot access the underlying table or tables directly.
For example, in an employee table you can configure security to allow a manager full
access to all employees in their department but restrict access to all other employees.
 Access is controlled using SQL commands (GRANT and REVOKE).

Applied Information Sciences
3
References
For further information, refer to the following manuals:
UniAccess System Administration Guide
Unisys Security User Guide Unisys RDMS
Administration Guide
DISCLAIMER
Permission to use this document is granted, provided that (1) this permission, as well as the disclaimer and copyright notice that
follow appear in all copies, (2) use of this document is for informational and non-commercial or personal use only, and (3) the
document is not modified in any way.
APPLIED INFORMATION SCIENCES, INC. AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS
ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THIS DOCUMENT FOR ANY PURPOSE. THIS
DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. APPLIED INFORMATION SCIENCES,
INC. AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH
REGARD TO THIS INFORMATION, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL APPLIED
INFORMATION SCIENCES, INC. AND/OR THEIR RESPECTIVE SUPPLIERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE IN THIS DOCUMENT.
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE
PERIODICALLY ADDED TO THE INFORMATION HEREIN. APPLIED INFORMATION SCIENCES, INC. AND/ OR
THEIR RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR
THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.
IN NO EVENT SHALL APPLIED INFORMATION SCIENCES, INC AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF SOFTWARE, DOCUMENTS,
PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR INFORMATION AVAILABLE FROM THIS SERVER.
COPYRIGHT NOTICE. Copyright 2004 Applied Information Sciences, Inc., 1850 Centennial Park Drive, Reston, Virginia,
20191 U.S.A. All rights reserved.
TRADEMARKS. Product and company names mentioned herein may be the trademarks of their respective owners.
Any rights not expressly granted herein are reserved.
Applied Information Sciences
54