Data Definition Language (DDL) Subsystem
The Data Definition Language (DDL) language enables users to define data objects in Enscribe files and to translate these object definitions into source code definitions for programming languages and other products on HP subsystems.
DDL performs two main functions:
Compiling statements that define data objects
Translating compiled definitions into source code for host languages and FUP
Using DDL Definitions
DDL Statements are used to define, modify, delete or display definitions in the DDL Dictionary and to generate data definition output files for other subsystems and compilers.
| DDL Functions | Description |
|---|---|
| Create a data dictionary | DDL schemas are stored in one or many DDL Dictionaries. |
| Create a Schema | Using DDL commands, record schema definitions are created and stored into the dictionary |
| Generate Schema Definition | Output a record schema as FUP commands |
| Create a database | The output FUP commands are used to create the database files |
| Generate source code | Output source code data definitions that are used directly by the programming languages. |
| Create messages | Define interprocess messages and store them in the dictionary. Like record definitions, these schemas can be output to source code format. |
| Maintain a dictionary | Dictionary maintenance functions |
| Examine a dictionary | Dictionary reports |
Enscribe DBMS
Enscribe data files are supported by the Guardian file system as one of four structured and one unstructured format.
Key- Sequenced
The Enscribe software uses index blocks to locate primary keys, which are stored in the record. Alternate index files are also key-sequenced. Key-sequenced files are accessible for random and sequential access.
Queue
The Enscribe software uses index blocks to locate primary keys, which are stored in the record. An Enscribe queue file is a special type of key-sequenced file where processes can queue and dequeue records.
Entry-Sequenced
The Enscribe software uses record addresses to find the physical location of a record in a file. Entry-sequenced files are used for sequentially oriented data, such as date oriented log files.
Relative
The Enscribe software uses record number to calculate the physical location of a record in a file. Relative sequenced files are primarily used for positionally oriented data, where the relative record number is unique.
Unstructured
The blocks of data must be programmatically managed. No record structure is available.
Enscribe files are used extensively on HP as the basic DBMS relational structured file. Some of the subsystems that rely upon DDL definitions are:
ENABLE
ENFORM
Programming languages
AP-ADVICE-DDL-01 Generally users should be prevented from creating new DDL schema on secure systems. Secure system applications will contain a pre-created data dictionary that must be secured at the same level as the secure data files.
RISK DDL poses no direct security risk as long as the data files and application files are secured properly, such that the output of DDL and the dictionary schemas cannot be used to gain unauthorized access the secure data.
Enscribe Application Dictionaries
AP-ADVICE-DDL-02 DDL Dictionaries should be secured to the appropriate group .
AP-ADVICE-DDL-03 DDL Dictionaries should be owned by the appropriate application manager.
AP-ADVICE-DDL-04 DDL Dictionaries resides anywhere on the system.
Securing DDL Components
BP-FILE-DDL-01 DDL should be secured "UUNU".
BP-OPSYS-OWNER-02 DDL should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DDL must reside in $SYSTEM.SYSTEM.
BP-FILE-DDL-02 DDQUERYS should be secured "NUNU".
BP-OPSYS-OWNER-02 DDQUERYS should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DDQUERYS must reside in $SYSTEM.SYSTEM.
BP-FILE-DDL-03 DDSCHEMA should be secured "NUNU".
BP-OPSYS-OWNER-02 DDSCHEMA should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DDSCHEMA must reside in $SYSTEM.SYSTEM.
If available, use Safeguard software or a third party object security product to grant access to DDL object files only to users who require access in order to perform their jobs.
BP-SAFE-DDL-01 Add a Safeguard Protection Record to grant appropriate access to the DDL object file.
| Discovery Questions | Look here: | |
|---|---|---|
| OPSYS-OWNER-02 | Who owns the DDL object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DDQUERYS file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DDSCHEMA file? | Fileinfo |
| FILE-POLICY | Who is allowed to execute DDL on the system? | Policy |
| FILE-DDL-01 | Is the DDL object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-DDL-02 | Is the DDQUERYS file secured correctly? | Fileinfo |
| FILE-DDL-03 | Is the DDSCHEMA file secured correctly? | Fileinfo |
| FILE-DDL-04 | Are the DDL Dictionaries on the system correctly secured to the application? | Fileinfo |
Related Topics
Securing Applications
ENFORM
ENABLE
