optimal rule searching in ibm i transaction based systems
DESCRIPTION
Searching lists in transaction-based online systems, for example the need to determine a user’s network accessibility rights, or the need to determine the types of access (Insert, Update, Delete and Read) permissible on particular objects, is especially acute. On the one hand, there is an ever-growing requirement to provide optimal response time for transactions running in these interactive environments, while on the other hand the number of users and objects whose attributes must be scanned to determine such access rights can easily be in the tens of thousands, if not more.TRANSCRIPT
Optimal Rule Searching in Power i Transaction Based Systems
February 2010 The Challenge
Discussions about the relative merits of various algorithms for searching lists in computer systems go back as far as
the systems themselves.
Searching lists in transaction-based online systems, for example the need to determine a user’s network accessibility
rights, or the need to determine the types of access (Insert, Update, Delete and Read) permissible on particular
objects, is especially acute. On the one hand, there is an ever-growing requirement to provide optimal response time
for transactions running in these interactive environments, while on the other hand the number of users and objects
whose attributes must be scanned to determine such access rights can easily be in the tens of thousands, if not
more. The Solution – “Best Fit Algorithm”
An especially advanced solution to the challenge above can be found in Raz-Lee Security's Firewall product, part of
the iSecurity suite of products. In order for Firewall to protect network access into the Power i, it must first determine,
in real time, a user’s network access rights to objects residing on the system.
In Firewall, user access rights may be defined as functions of the user profile name, the IP address or device name of
the generating request, and more. The objects in the system are defined based upon such identifying information as
the library name, the name of the object being accessed and the type of access requested.
As an intrinsic part of Firewall, the Best Fit Algorithm functions at sites worldwide and especially at large sites
encompassing many thousands of online users, where its unique ability to determine a user’s network accessibility
rights is accomplished even as it provides optimal user response time by minimizing CPU and I/O overhead.
The Best Fit Algorithm is based upon access rules specific to each enterprise. Some access rules will be general
(“global” in technical jargon) addressing all or most users, IP addresses, system objects, etc., whereas other rules will
be more “limited” in nature. The most general rule possible, which will always return TRUE, will return the list,
perhaps even an empty list, of users who are permitted to access the object in question. On the other hand, the most
limited rule will relate to a very specific situation, for example, defining whether a particular user or users may or may
not access a particular object for a specific purpose.
The use of generic naming conventions, in the case of Firewall the use of an asterisk following any given string of
characters, is one of the ways in which non-specific global rules are defined. For example “MYFILE*” would reference
all objects beginning with “MYFILE”.
It should be obvious that the order in which rules are scanned will directly influence the speed and efficiency of the
scanning procedure.
Best-Fit Algorithm
Technical Description
iSecurity Firewall’s Best Fit Algorithm optimizes the number of rules required to determine the network
accessibility rights of a user to access a Power i object via servers. Some of the more common servers
are FTP, ODBC, DDM, etc.
Firewall enables the site’s system administrator to define, for each server, access rights in line with site
policies. In particular the system administrator may define that each server:
• Allow all accesses through the server
• Reject all accesses through the server
• Allow only specific users access through the server
• Allow only specific “user to object” accesses through the server In order to check the validity of a user to object access: 1. The Best Fit Algorithm scans the list of object rules, beginning with the most specific rule and
terminating with the most general rule, looking for the first rule, if any such exists, which will allow access to the object in question
2. The first rule encountered which returns TRUE is used to initiate a disk I/O in order to return the list of users who are allowed access to the object.
Example
Following is an example which will clarify the description above. Given the following sample rules:
• LIBRARY-NAME MYFILE
• LIBRARY-NAME MY*
• LIBRARY-NAME *ALL
• *ALL *ALL
Step 1 above will perform the following checks:
• Is the user attempting to access the object named MYFILE in the library named LIBRARY-NAME?
• Is the user attempting to access an object beginning with the string MY in the library named LIBRARY-NAME?
• Is the user attempting to access any object in the library named LIBRARY-NAME?
• Is the user attempting to access any object in any library?
As the last rule in our example will always return TRUE, the Best Fit Algorithm obtains the list of users
permitted access to the object.
This list may contain the following types of user definitions:
• USER_NAME – specific user name
• GENERIC_USER_NAME* - example of generic capabilities
• GROUP_PROFILE / %GROUP – example of system or product group profiles
Technical Benefits of the Best Fit Algorithm
The benefits of the Best Fit Algorithm relate to:
• The number of rules required to scan
• The total amount of I/O required until the final determination is made
Using our previous example:
• LIBRARY-NAME MYFILE
• LIBRARY-NAME MY*
• LIBRARY-NAME *ALL
• *ALL *ALL
If the object-name actually being accessed is called MYLIB, the sequence of events which will occur is
as follows:
• LIBRARY-NAME MYFILE - search for library-name/object-name key in memory fails, no I/O is performed
• LIBRARY-NAME MY* - search in memory fails, no I/O is performed
• LIBRARY-NAME *ALL - search in memory fails, no I/O is performed
• *ALL *ALL - the search in memory for the library-name/object-name key succeeds, so ONE record is input from external storage
In short, the total number of I/O requests for this search is only ONE I/O command required for
determining the accessibility of the object by the user.
Rule-Generating Wizards: an Additional Benefit
With the advent of PC-based systems, wizard technology became almost standard for all computing
systems. As such, and in answer to numerous requests from Firewall customers, Raz-Lee developed
wizard capabilities on the Power i that enables generating network access rules from actual network-
related events!
Using wizard technology, generating rules used by the Best Fit Algorithm has become nearly effortless;
all that needs to be done is to run a time-limited online report of network activity, view the activity log,
focus on a particular event which may have been accepted or rejected, and press a Function Key. A
new rule will open, pre-populated with the details of the selected network event; following easy
adaptation of the filter data, the new rule can be used.
Summary
Raz-Lee’s Best Fit Algorithm provides superb performance at installations worldwide, to quickly and
efficiently determine network accessibility rights to Power i objects. Used together with Firewall’s
unique rule-generating wizard capabilities has enabled large enterprises in particular to benefit from
Raz-Lee’s state-of-the-art network monitoring, reporting and management capabilities.