HELP: Access rights assigned with this user and key [ALL MEMBER='*' FORMAT='*' COLUMN='*' NOTMTD=ZERO] TYPE: OBJECT SYNTAX: RIGHTS(ALL,READ,APPEND/INSERT,UPDATE,DELDAT/DELETE/DELREC,DELMBR,DELVSN,DELKEY,DELARC,MEMBER['str'...],FORMAT['str'...],COLUMN['str'...],MBRNOT['str'...],FMTNOT['str'...],CLMNOT['str'...],NOTMTD=ZERO/MASK/RAND/IBAN)
This object can be used to link access rights to the respective keyset for the user. The basic cryptographic rights are defined by separate keys for access to the data, the member index and the directory. You can also specify here whether this keyset can only be used for reading or also for adding (insert or sequential), changing or deleting records defining the corresponding switch. You can also use positive or negative lists of wildcard patterns to define which members, which formats and which columns can be accessed. If access to certain columns is not possible with this keyset, the data is handled as follows depending on the type. In the case of a binary or string, the length 0 (empty blob or string) is simply returned and all numbers are assigned a value of 0. If this behavior (ZERO) is not sufficient, the method for the default handling of all columns can be adapted. If you select a method here that manipulates the data (MASK, RAND, IBAN), the matrix can no longer be written back. These methods can therefore only be used when reading. Formats or members that are not accessible are rejected with an error or don't match in the directory walk.
The additional further restriction of rights when encrypting a keyset only and always takes effect when decrypting this keyset to use the clear key values. This object is primarily intended for re-keying and thus the subsequent granting of rights. If you are writing the data for the first time, you should not place any additional restrictions here as the owner of the data. This feature is primarily intended for secure third-party utilization of the data in the archive. See the following example:
1. Write the data to the archive as data owner
ARCHIVE.COMP(
READ.TEXT(
FILE='*.txt'
SUPTWS
CHRMODE=SUBSTITUTE
TABLE='ssh://user@mycompany.de/flam/formats/goehte_xml.txt/&UTF-8'
)
TO.NEW(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive'
OVERWRITE
)
FLAM(
MBRMODE=APPEND
RECMODE=SEQUENTIAL
ENCRYPT.PGP(
DATA(ID['myself','mydepartment','mycompany'])
#
DATA(ID='analyzer'
RIGHTS(
READ
MEMBER='*'
FORMAT='*'
CLMNOT='NAME'
CLMNOT='PIN'
)
)
#
MEMBER(ID='carrier')
SIGNID='myself'
)
)
)
)
In the example, third-party utilization via the analyzer was already provided for in the comment, which can be done with PGP, but not with simple password protection. In the following, however, we will finish the example with a downstream assignment of rights for the analyzer, which is also supported by passphrases.
2. Grant access to the data for third-party utilization with copy
ARCHIVE.COPY(
FROM(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive'
)
FLAM(
DECRYPT.PGP(
USERID='myself'
)
MEMBER='*'
)
)
TO.DUPLICATE(
STORE.FILE(
NAME='ssh://whatson@ibm.com/analyze/mycompany.fl5'
)
ENCRYPT.PGP(
DATA(ID='analyzer'
RIGHTS(
READ
MEMBER='*'
FORMAT='*'
CLMNOT='NAME'
CLMNOT='PIN'
)
)
SIGNID='myself'
)
)
)
In this case, a duplicate of the archive is created with restricted rights for the analysis, where the column with the name (no personal data) and the PIN (sensitive data) are not accessible.
In the case above, the compressed and encrypted data is doubled. If you do this, you could also go via the clear data (COPY(... TO.NEW(...))) and mask the sensitive areas. However, this costs a lot of CPU, but is then a verifiable secure solution.
If you don't work with copy to duplicate but do an analog re-keying, then you have full access via version 0 and limited access to the analog via version 1.
3. Grant access to the data for third-party utilization with re-keying
ARCHIVE.REKEY(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive'
)
IMPORT.PGP(
USERID='myself'
)
EXPORT.PGP(
DATA(ID='analyzer'
RIGHTS(
READ
MEMBER='*'
FORMAT='*'
CLMNOT='NAME'
CLMNOT='PIN'
)
)
SIGNID='myself'
)
)
The advantage here would be that the compressed and encrypted data does not have to be copied.
In this case, the data owner's access to all data is somewhat more complex because it has to address the previous version and not the version for the analyzer.
4. Read the entire archive after re-keying as data owner.
ARCHIVE.DECO(
FROM(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive(-1)'
)
FLAM(
DECRYPT.PGP(
USERID='myself'
)
MEMBER='*'
)
)
WRITE.TEXT(
TABLE(
FORMAT=CSV
)
)
)
5. Reading the archive as an analyst with restricted access to the columns
ARCHIVE.DECO(
FROM(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive(0)'
)
FLAM(
DECRYPT.PGP(
USERID='analyzer'
)
MEMBER='*'
)
)
WRITE.TEXT(
TABLE(
FORMAT=CSV
)
)
)
In this case, the columns for the name and PIN would be filled with empty strings. Only for such strings can you choose from further handling options via the STRING parameter. If the default (empty string (ZERO)) is not used, the length information is retained during access and only the characters are overwritten either by random values (RAND) or the masking character (MASK). In the case of method IBAN the first 3 and the last 3 characters are not mask with an asterisk.
If a user's rights have been limited, he or she cannot re-key, i.e. assign further rights. So if you define an empty rights object, the default rights are assigned, which do not differ from the normal rights, with the exception that the person can only read and is not allowed to do any re-keying. With RIGTHS(ALL) everything would work and only re-keying would no longer be possible.
ARCHIVE.COMP(
READ.TEXT(
FILE='*.txt'
SUPTWS
CHRMODE=SUBSTITUTE
TABLE='ssh://user@mycompany.de/flam/formats/goehte_xml.txt/&UTF-8'
)
TO.NEW(
STORE.FOLDER(
PATH='ssh://user@mycompany.de/flam/archive/myarchive'
OVERWRITE
)
FLAM(
MBRMODE=APPEND
RECMODE=SEQUENTIAL
ENCRYPT.PGP(
DATA(ID['myself'])
DATA(ID['mydepartment','mycompany']
RIGHTS(#READ MEMBER'*' FORMAT='*' COLUMN='*'#))
DATA(ID='analyzer'
RIGHTS(
READ
MEMBER='*'
FORMAT='*'
CLMNOT='NAME'
CLMNOT='PIN'
)
)
#
MEMBER(ID='carrier')
SIGNID='myself'
)
)
)
)
The example above corresponds to our first example, but here the department and the company do not have the right to assign further rights. The default of the rights object can be found as comment inside of the right object.
SWITCH: ALL - Allow read, append, update and delete for this userSWITCH: READ - Allow read of data from archive for this userSWITCH: APPEND/INSERT - Allow append (insert) of date to the archive for this userSWITCH: UPDATE - Allow update of data for the user in the archiveSWITCH: DELDAT/DELETE/DELREC - Allow delete of data for the user in the archiveSWITCH: DELMBR - Allow delete of member from archiveSWITCH: DELVSN - Allow delete of versions from archiveSWITCH: DELKEY - Allow delete of encrypted keysets from archiveSWITCH: DELARC - Allow delete of archivesSTRING: MEMBER['str'...] - Patterns which member can be accessed by this userSTRING: FORMAT['str'...] - Patterns which format (row specification names) can be accessed by this userSTRING: COLUMN['str'...] - Patterns which columns can be accessed by this userSTRING: MBRNOT['str'...] - Patterns which member can be not accessed by this userSTRING: FMTNOT['str'...] - Patterns which format (row specification names) can be not accessed by this userSTRING: CLMNOT['str'...] - Patterns which columns can be not accessed by this userNUMBER: NOTMTD=ZERO/MASK/RAND/IBAN - Select certain default method if access to column not allowed [ZERO]
ZERO - Return length or value of 0 for columns without accessMASK - Return string filled with '*' to mask each letter for columns without accessRAND - Fill up the string with random letters for columns without accessIBAN - Mask (*) any letter accept the first and last 3 values for columns without access