Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Legal Notice
©2017 Vanguard Integrity Professionals, Inc. 2
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard SecurityCenter for DB2
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
Trademarks
©2017 Vanguard Integrity Professionals, Inc. 3
The following are trademarks or registered trademarks of the International Business Machines Corporation:
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
Session Topics
• Introduction to DB2 Security
• Controlling Access to DB2 Subsystems
• RACF Security for DB2
• RACF Access Control Module
• RACF Profiles for DB2 Objects
• Controlling Access to DB2 Objects
• Logging DB2 Activity
• Migrating from DB2 Security to RACF Security
• Benefits of Using RACF for DB2 Security
©2017 Vanguard Integrity Professionals, Inc. 4
Relational Database Concepts
©2017 Vanguard Integrity Professionals, Inc. 6
DATA
{ROW
COLUMNTABLE DATASET
FIELD
} RECORD
RELATIONAL CONVENTIONAL
Relational Database Concepts
©2017 Vanguard Integrity Professionals, Inc. 7
APP1
APP2
TABLE1 TABLE2
VIEW1 VIEW2
Data sharing
DB2
APPLICATIONS
SQL
SQL
SQL
VIEWS
©2017 Vanguard Integrity Professionals, Inc. 8
TABLE EMP TABLE DEPT
VIEW EMP_A
EMPNO SSN DEPTNO SALARY DEPTNO DPT_NAME
EMPNO DEPTNO SALARY DPT_NAME
Definitions In Relational
©2017 Vanguard Integrity Professionals, Inc. 9
EMPNAME EMPNO JOBCODE SALARY
Joe Smith 12345 20 28,000
Mary Smith 56789 30 34,000
John Doe 54321 10 42,000
ENTITY:
EMPLOYEE
ATTRIBUTES
or
PROPERTIES
Referential Integrity
©2017 Vanguard Integrity Professionals, Inc. 10
EMPLOYEE
EMPNO DEPTNO
12345 10
65432 20
56789 30
DEPARTMENT
DEPTNO DEPTNAME
10 PERSONNEL
20 PAYROLL
30 ACCOUNTING
DB2 Operational Environment
©2017 Vanguard Integrity Professionals, Inc. 11
IMS
MPP BMP FP
ATTACH
CICS
APPS
ATTACH
TSO
QMF DB2 APPS
ATTACH
CALL-ATTACH
FACILITY
DB2
SYSTEM
SERVICES
DB2
DATABASE
SERVICES
DB2
DISTRIBUTED
DATA
FACILITY
INTERNAL
RESOURCE
LOCK
MANAGER
STORED
PROCEDURES
ADDRESS
SPACE
WLMnIRLMDISTDBM1MSTR
ADMIN
TASK
SCHEDULER
ADMT
The SQL Language
©2017 Vanguard Integrity Professionals, Inc. 12
CREATE
ALTER
DROP
DDL
SELECT
UPDATE
INSERT
DELETE
DML DCL
GRANT
REVOKE
Benefits of DB2
• Non-Navigational
• Set at a time processing
• Shared Data
• DBMS manages the data
• Standardization of entity / attribute names
• Recoverability
• SQL
• Ease of access
©2017 Vanguard Integrity Professionals, Inc. 13
What Should be Protected?
©2017 Vanguard Integrity Professionals, Inc. 15
Data setsDatabase
BufferpoolCollectionPackage
PlanTable Space
Storagegroup
TableIndexView
Recognizing Users
DB2 uses identifiers to control access to data
• Three types of identifiers
– Primary authorization ID
– Secondary authorization ID
– SQL ID
©2017 Vanguard Integrity Professionals, Inc. 16
Set Current SQLID
©2017 Vanguard Integrity Professionals, Inc. 17
SET CURRENT SQLID = IDNAME
SQLID IDNAME
Gaining Access to Data
©2017 Vanguard Integrity Professionals, Inc. 18
TBL_CUST
TBL_ORDR
DATA
Privilege:
Controlled by explicit granting and revoking
Ownership:
Controlled by privileges needed to create
objects
Plan and Package
Execution:
Controlled by privilege to execute
User BOBS needs to insert rows in table
TBL_CUST
User JIMM is owner of table TBL_ORDR
User JOHNH needs to execute plan TBL
Controlling Access to DB2 Objects
• Ownership
• Privileges
• Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 19
Ownership of DB2 Objects
• Created with SQL CREATE statement
• Name and ownership established when object
created
• Names can be:
– Unqualified
– Qualified
• Name qualification determines ownership processing
©2017 Vanguard Integrity Professionals, Inc. 20
DB2 Privileges and Authorities
©2017 Vanguard Integrity Professionals, Inc. 21
ID
PRIVILEGE OWNERSHIPPLAN & PACKAGE
EXECUTION
CONTROLLED
BY EXPLICIT
GRANTING &
REVOKING
:
CONTROLLED
BY PRIVILEGES
NEEDED TO
CREATE OBJECTS
CONTROLLED
BY
PRIVILEGE
TO EXECUTE
DATA
Assigning Privileges
©2017 Vanguard Integrity Professionals, Inc. 22
GRANT
SYSIBM.SYSCOLAUTH
SYSIBM.SYSDBAUTH
SYSIBM.SYSPACKAUTH
SYSIBM.SYSPLANAUTH
SYSIBM.SYSRESAUTH
SYSIBM.SYSROUTINEAUTH
SYSIBM.SYSSCHEMAAUTH
SYSIBM.SYSSEQUENCEAUTH
SYSIBM.SYSTABAUTH
SYSIBM.SYSUSERAUTH
SYSIBM.SYSVARIABLEAUTH
Cascading Revokes!
©2017 Vanguard Integrity Professionals, Inc. 23
BEWARE OF THE “WITH GRANT” OPTION!!!!!!!
Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 24
Installation SYSADM
No Additional named Privileges
SYSADM(Includes SYSCTRL, PACKADM,
and DBADM authority)
SYSCTRL
(Includes Installation SYSOPR,
SYSOPR and DBCTRL authority)
Installation SYSOPR
(Includes SYSOPR authority)
SYSOPR
System Operation only
PACKADM
Package Administration only
DBADM
(Includes DBCTRL and
DBMAINT authority)
DBCTRL
(Includes DBMAINT authority)
DBMAINT
Database Maintenance only
Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 25
Installation SYSADM
No Additional named Privileges
SYSADM(Includes SYSCTRL, PACKADM,
and DBADM authority)
SYSCTRL
(Includes Installation SYSOPR,
SYSOPR and DBCTRL authority)
Installation SYSOPR
(Includes SYSOPR authority)
SYSOPR
System Operation only
PACKADM
Package Administration only
DBADM
(Includes DBCTRL and
DBMAINT authority)
DBCTRL
(Includes DBMAINT authority)
DBMAINT
Database Maintenance only
Separating the SYSADM Authority
• SEPARATE_SECURITY system parameter
– When set to ‘NO’ (default)
©2017 Vanguard Integrity Professionals, Inc. 26
SYSADM
System Administrator
Security Administration
System Administration
Database Administration
Data Access
Separating the SYSADM Authority
• SEPARATE_SECURITY system parameter
– When set to ‘YES’
©2017 Vanguard Integrity Professionals, Inc. 27
SYSADM
System Administrator
System Administration
Database Administration
Data Access
DB2 10 for z/OS
SECADM
Security Administrator
Access Control
New Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 28
SECADM
Manage Data
Access Control
Cannot Change or
Access Data
ACCESSCTRL
Access Control
Cannot Manage or
Access Data
DATAACCESS
Access Data
Cannot Manage Data
or Control Access
SYSDBADM
Manage Databases
Limited Data Access
& Access Control
SQLADM
Monitor & Tune SQL
Cannot Change or
Access Data
EXPLAIN
Validate SQL
Cannot Execute SQL
Security Catalog - the Auth Tables
Table name Privileges held for or authorization related to
SYSIBM.SYSCOLAUTH Updating columns
SYSIBM.SYSDBAUTH Databases
SYSIBM.SYSPLANAUTH Plans
SYSIBM.SYSPACKAUTH Packages
SYSIBM.SYSRESAUTH Buffer pools, storage groups, collections, table spaces,
JARs, and distinct types
SYSIBM.SYSROUTINEAUTH User-defined functions and stored procedures
SYSIBM.SYSSCHEMAAUTH Schemas
SYSIBM.SYSTABAUTH Tables and views
SYSIBM.SYSUSERAUTH System authorities
SYSIBM.SYSSEQUENCEAUTH Sequences
SYSIBM.SYSCONTEXT Associating a role with a trusted context
SYSIBM.SYSCTXTTRUSTATTRS Associating trust attributes with a trusted context
SYSIBM.SYSCONTEXTAUTHIDS Associating users with a trusted context
©2017 Vanguard Integrity Professionals, Inc. 31
Use of the Catalog
©2017 Vanguard Integrity Professionals, Inc. 32
Security Administrator Database Administrator Programmers
CatalogTables
Accessing the Catalog
©2017 Vanguard Integrity Professionals, Inc. 33
IBM's
DB2 Administration
Tool
Third Party
Software Products
SQL Queries
DB2 Objects
©2017 Vanguard Integrity Professionals, Inc. 35
• Bufferpool• Collection• Database• Global Variables• JAR - Java Archive File• Packages• Plans• Schemas• Sequence • System Privileges• Stored Procedures• Storage Group• Table/Index/View• Table Space• User Defined Distinct Types• User Defined Functions
DB2 Object Types
Bufferpools
©2017 Vanguard Integrity Professionals, Inc. 36
SPEED
Example:
GRANT USE OF BUFFERPOOL BP1, BP2 TO JONES;
Table Spaces
©2017 Vanguard Integrity Professionals, Inc. 38
TABLE SPACE S1
TABLE T1
TABLE SPACE S2
TABLE T2
TABLE T3 TABLE T4
TABLE SPACE S3
Example:
GRANT USE OF TABLESPACE S1, S2, S3 TO PUBLIC;
DB2 USE Privilege
©2017 Vanguard Integrity Professionals, Inc. 39
Use PrivilegesAllows the use of these
objects
USE OF BUFFERPOOL A buffer pool
USE OF STOGROUP A storage group
USE OF TABLESPACE A table space
Tables
©2017 Vanguard Integrity Professionals, Inc. 40
DEPTNO DEPTNAM MGRNO
A00 INFORMATION CENTER 00010
B01 PLANNING 00020
C01 BUSINESS ANALYSIS 00030
Example:
GRANT ALL ON TABLE EMP TO USER01, USER02;
GRANT UPDATE(DEPTNAM) ON TABLE EMP TO USER05;
GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE EMP TO D2TPYP01;
Views
©2017 Vanguard Integrity Professionals, Inc. 41
VIEW 1 VIEW 2 VIEW 3
TABLE 1 TABLE 2
USER 1 USER 2 USER 3 USER 4 USER 5
Aliases and Synonyms
©2017 Vanguard Integrity Professionals, Inc. 42
AUTOMOBILE CAR
PRIVILEGE: CREATEALIAS
Indexes
©2017 Vanguard Integrity Professionals, Inc. 43
EMPNO EMPNAME DEPTNO DE
EMPNO
Table
Index
STAFF_IDX
TABLE_STAFF
Privilege: INDEX Authority is a table authority
Table/View Privileges
©2017 Vanguard Integrity Professionals, Inc. 44
Table/View PrivilegeAllow these SQL statements for a named
table or view
ALTER Change the table definitions
DELETE Delete rows from a table or a view
INDEX Create an index on table
INSERT Insert rows in a table or a view
REFERENCES Add or remove referential constraint
SELECT Retrieve data from a table or a view
UPDATEUpdate all columns or specified columns in a table or a
view
GRANT ALL Grants ALL table privileges listed above
Databases
©2017 Vanguard Integrity Professionals, Inc. 45
DATABASE D1
TABLESPACE S1
TABLE T1
TABLE T2
PARTITIONEDTABLESPACE S2
TABLE T3PART 1
TABLE T3PART 2
TABLESPACE R1
TABLE V1
TABLE V2
PARTITIONEDTABLESPACE R2
TABLE V3PART 1
TABLE V3PART 2
DATABASE D2
Database Privileges
©2017 Vanguard Integrity Professionals, Inc. 46
Privilege Allows these functions on a named database
CREATETAB Create table in database
CREATETS Create table space in database
DISPLAYDB Display database status
DROP Drop or alter database
IMAGCOPYRun COPY,MERGECOPY,MODIFY, & QUIESCE
utilities for table spaces in database
LOAD Use LOAD utility
RECOVERDB Use RECOVER & REPORT utilities
REORG Use REORG utility
REPAIR Use REPAIR & DIAGNOSE utilities
STARTDB Use START DATABASE command
STATS Utilize RUNSTATS & CHECK
STOPDB Use STOP DATABASE command
Database Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 47
Privileges are:DROP REORG
LOAD REPAIRREPAIRDB
(Plus DBMAINT Privileges)
Privileges are:
ALTER INSERTDELETE SELECT
REFERENCES INDEX(Plus DBCTRL Privileges)
Privileges are:CREATETB STARTDB
CREATETS STATSDISPLAYDB STOPDB
IMAGCOPY
DBMAINT
DBCTRL
DBADM
Plans
©2017 Vanguard Integrity Professionals, Inc. 48
Modified
SourceCompile
Object
Link Edit
Load
Module
Application
ProgramDB2
Precompiler
Bind
DBRM
Application
Plan
DB2 Plan Privileges
©2017 Vanguard Integrity Professionals, Inc. 49
Plan PrivilegesAllow these subcommands
for a named application plan
BINDBIND, REBIND, and FREE PLAN to
bind or free the plan
EXECUTERUN to use the plan when running
the application
Multiple Plans
©2017 Vanguard Integrity Professionals, Inc. 50
PROG 1 PROG 2 PROG 3
DBRM DBRM DBRM
PLAN 1 PLAN 2
APP 1 APP 2
PRE-COMPILE
PRE-COMPILE
PRE-COMPILE
BIND BIND BINDBIND
COMP/LKED
LOAD MOD
COMP/LKED
LOAD MOD
COMP/LKED
LOAD MOD
Packages and Plans
©2017 Vanguard Integrity Professionals, Inc. 51
PROG 1 PROG 2 PROG 3
DBRM DBRM DBRM
PACKAGE PACKAGE PACKAGE
PLAN 1 PLAN 2
APP 1 APP 2
PRE-COMPILE
PRE-COMPILE
PRE-COMPILE
BIND BIND BIND
DB2 Package Privileges
©2017 Vanguard Integrity Professionals, Inc. 52
Package PrivilegesAllow these functions for a
named package
BIND
BIND, REBIND, AND FREE PACKAGE
subcommands, DROP PACKAGE
statement, BIND NEW PACKAGE
COPYCOPY option of BIND PACKAGE to copy
a package
EXECUTEInclusion of the package in the PKLIST
option of BIND PLAN
GRANT ALL Grants all package privileges listed above
DB2 Collection Privileges
©2017 Vanguard Integrity Professionals, Inc. 53
Collection PrivilegeAllows these functions for a
named package collection
CREATEINNaming the collection in the BIND
PACKAGE subcommand
COLLECTION A
Package A
Package B Package C
Collection Authority
©2017 Vanguard Integrity Professionals, Inc. 54
Encompasses both the CREATEIN privilege on
the collection plus all the package privileges for
ANY package that is in the collection.
It may be granted on asterisk (*) to indicate the
authority is held on all collections.
The PACKADM authority is recorded in the
SYSIBM.SYSRESAUTH catalog table. (as is the
CREATEIN privilege also)
PACKADM
Package Administrative Authority
©2017 Vanguard Integrity Professionals, Inc. 55
Privileges on a collection: CREATEINPrivileges on all packagesin the collection:BIND COPY EXECUTE
PACKADM
BINDAGENT System Privilege
©2017 Vanguard Integrity Professionals, Inc. 56
TEST PROD
PLAN
BIND
EXECUTE
SELECT
UPDATE
INSERT
DELETE
BIND
ONLYGRANT
BINDAGENT
Developer Bind Agent
TABLES TABLESPLAN
Example:
GRANT BINDAGENT TO JOHNSON;
DB2 Binding using Packages
• If a program changes, only its DBRM needs to be rebound
• A DBRM can be a member of several plans
• Packages provide a way to support static SQL statement at remote DBMS locations
• Plans can be executed or bound remotely
• Use enable/disable option on the BIND / REBIND commands to allow access only from specific subsystem or environments
©2017 Vanguard Integrity Professionals, Inc. 57
DB2 Schema Privileges
©2017 Vanguard Integrity Professionals, Inc. 58
Schema PrivilegeAllows these functions for a
named Schema
ALTERINAlter stored procedures and user-
defined functions
CREATEIN
Create distinct types, stored
procedures, triggers, and user-defined
functions
DROPINDrop distinct types, stored procedures,
triggers, and user-defined functions
DB2 Procedure Privileges
©2017 Vanguard Integrity Professionals, Inc. 59
Procedure PrivilegeAllows these functions for a
named Procedure
DISPLAY
Use of the DISPLAY PROCEDURE
command for statistics about accessed
stored procedures
EXECUTE
Grants the privilege to run the cast
function that was generated for a stored
procedure.
STARTActivates the definition of a stored
procedure
STOP
Prevents DB2 from accepting SQL CALL
statements for one or more stored
procedures
DB2 User-Defined Privileges
©2017 Vanguard Integrity Professionals, Inc. 60
User-Defined Distinct TypeAllows this function for a
named Distinct Type
USAGEGrants the privilege to use the
identified distinct types
User-Defined FunctionAllows these functions for a
named Function
DISPLAYDisplays statistics about user-
defined functions
EXECUTEGrants the privilege to run the
function
DB2 Global Variables Privileges
©2017 Vanguard Integrity Professionals, Inc. 61
Global VariablesAllows these functions for a
named Variable
READGrants the privilege to read the
global variable
WRITEGrants the privilege to update the
global variable
System Administrative Authorities
©2017 Vanguard Integrity Professionals, Inc. 62
System Operator
Can issue DB2 commands
Utilize DB utilities
Installation SYSOPR
IDs named in system
initialization parameters (DSNZPARM) during DB2
installation
Almost complete control of DB2 subsystem. Can not
access user data unless
granted the privilege to do
System Administrator Full access within DB2
subsystem with ability to grant privileges to others.
IDs named in system initialization parameters
(DSNZPARM) during DB2 installation
SYSOPR
SYSCTRL
SYSADMInstallation SYSADM
System Privileges
©2017 Vanguard Integrity Professionals, Inc. 63
System Privileges Allow these functions
ARCHIVEARCHIVE, DISPLAY, and SET COMMANDS: archive, display active log and control allocation
for archive processing
BINDADD BIND subcommand with the ADD option: create new plans and packages
BINDAGENT
BIND, REBIND, and FREE subcommands. DROP PACKAGE statement: bind, rebind, or free
a plan or package, or copy a package on behalf of the grantor. BINDAGENT privilege is
intended for separation of function, not added security.
BSDS RECOVER BSDS subcommand: recover the bootstrap data set
CREATEALIAS CREATE ALIAS statement: create an alias for a table or view name
CREATEDBA CREATE DATABASE statement: create a database and have DBADM authority over it
CREATEDBC CREATE DATABASE statement: create a database and have DBCTRL authority over it
CREATESG CREATE STOGROUP statement: create a storage group
CREATETMTAB CREATE GLOBAL TEMPORARY TABLE statement: define a temporary table
DISPLAYDISPLAY: ARCHIVE, BUFFERPOOL, DATABASE, LOCATION, TREAD, and TRACE
commands: display system information
MONITOR1 Receive trace data that is not potentially sensitive
MONITOR2 Receive all trace data
RECOVER RECOVER INDOUBT command: recover threads
STOPALL STOP DB2 command: stop DB2
STOSPACE STOSPACE utility: obtain data about space usage
TRACE START TRACE, STOP TRACE, and MODIFY TRACE commands: control tracing
Defining DB2 Subsystems to RACF
©2017 Vanguard Integrity Professionals, Inc. 65
RACF
Data Base
?
USER Profile
GROUP Profile
DB2PDIST
DB2PIRLM
DB2PWLMn
DB2PDBM1
DB2PMSTR
DB2PADMT
The DB2 Subsystems
©2017 Vanguard Integrity Professionals, Inc. 66
MVS
DB2P
DB2T
DB2S
PRODUCTION
TEST
SYSTEMS
DB2PDBM1DB2PMSTRDB2PIRLMDB2PDISTDB2PWLM1DB2PADMT
STARTED TASKS
DB2TDBM1DB2TMSTRDB2TIRLMDB2TDISTDB2TWLM1DB2TADMT
DB2SDBM1DB2SMSTRDB2SIRLMDB2SDISTDB2SWLM1DB2SADMT
RACF Started Class Profiles
RDEF STARTED DB2PMSTR.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))RDEF STARTED DB2PDBM1.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))RDEF STARTED DB2PIRLM.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))RDEF STARTED DB2PDIST.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))RDEF STARTED DB2PWLM1.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))RDEF STARTED DB2PADMT.* STDATA(USER(=MEMBER) GROUP(DB2PSYS))
RDEF STARTED DB2TMSTR.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))RDEF STARTED DB2TDBM1.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))RDEF STARTED DB2TIRLM.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))RDEF STARTED DB2TDIST.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))RDEF STARTED DB2TWLM1.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))RDEF STARTED DB2TADMT.* STDATA(USER(=MEMBER) GROUP(DB2TSYS))
RDEF STARTED DB2SMSTR.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))RDEF STARTED DB2SDBM1.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))RDEF STARTED DB2SIRLM.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))RDEF STARTED DB2SDIST.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))RDEF STARTED DB2SWLM1.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))RDEF STARTED DB2SADMT.* STDATA(USER(=MEMBER) GROUP(DB2SSYS))
©2017 Vanguard Integrity Professionals, Inc. 67
DB2 Dataset Naming Conventions
©2017 Vanguard Integrity Professionals, Inc. 68
TABLESPACES&
INDEXSPACES
INSTALL
LIBRARIES
OTHERGENERAL
DATASETS
DSNP110.LOGCOPY*.** DSNP110.ARCHLOG*.** DSNP110.BSDS*.**
DSNP110.DSNDBC.*.** DSN110.*.** DSNP110.*.**
ACTIVE LOGS ARCHIVE LOGS BOOTSTRAP DATASETS
Sample Dataset Profile
©2017 Vanguard Integrity Professionals, Inc. 69
READYLD DA('DSNP110.*.**') AUINFORMATION FOR DATASET DSNP110.*.** (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- -----00 DSNP110 NONE NO NO
AUDITING --------FAILURES(READ)
ID ACCESS -------- -------DB2PSYS ALTERSYSADM ALTER
Securing DB2 Subsystems
©2017 Vanguard Integrity Professionals, Inc. 71
Name UACC Access List
DB2P.SASS NONE CICSPRD(READ)
DB2P.BATCH NONE PRODID(READ)
DB2T.BATCH NONE PGMRGRP(READ)
DB2T.SASS NONE CICSTST(READ)
CICSPRD
CICSTST
DSNR Class Profiles
X
PGMRGRP
DB2P
Keep Out
Defining DSNR Profiles
©2017 Vanguard Integrity Professionals, Inc. 72
RDEF DSNR (DB2P.SASS, DB2P.BATCH) OW(DBADMIN) UA(NONE)
RDEF DSNR (DB2T.SASS, DB2T.BATCH) OW(DBADMIN) UA(NONE)
PE DB2P.SASS CL(DSNR) ID(CICSPRD) AC(READ)
PE DB2P.BATCH CL(DSNR) ID(PRODID) AC(READ)
PE DB2T.SASS CL(DSNR) ID(CICSTST) AC(READ)
PE DB2T.BATCH CL(DSNR) ID(PGMRGRP) AC(READ)
DB2 Connection Processing
©2017 Vanguard Integrity Professionals, Inc. 73
DL/1
BATCH
CICS
START-UP
JES-
INITIATED
BATCHTSO
STARTED
TASK
DB2
UTILITIES
IMS
CONTROL
REGION
OBTAIN PRIMARY ID
VERIFY BY RACFID ACCESS TO SUB-SYSTEM
RUN CONNECTIONEXIT ROUTINE
STEP 1
STEP 2
STEP 3
NOT AUTHORIZED;
REJECT REQUEST
Sample Exits
©2017 Vanguard Integrity Professionals, Inc. 74
DSN3@ATHDefault Exit
DSN3SATHSample Exit
DSN3SSGNSample Exit
DSN3@SGNDefault Exit
DB2 Secondary Authorization IDs
©2017 Vanguard Integrity Professionals, Inc. 75
// ..... JOB DSNTIJEX
Assemble and Link-Edit
prefix.SDSNEXIT
DSN3@ATH
DSN3@SGN
prefix.SDSNSAMP
DSN3SATH
DSN3SSGN
Sample Connection Exit
©2017 Vanguard Integrity Professionals, Inc. 76
USER01
RACF GROUPS
TEST
PROD
DB2AP
DB2PY
DSN3@ATH SECONDARY IDS
SQL ID
USER01
USER01
PRIMARY ID
TEST
PROD
DB2AP
DB2PY
Sample Sign-On Exit
©2017 Vanguard Integrity Professionals, Inc. 77
CICSPRD
RACF GROUPS
GRP1
GRP2
GRP3
GRP4
DSN3@SGN SECONDARY IDS
SQL ID
CICSPRD
CICSPRD
PRIMARY ID
GRP1
GRP2
GRP3
GRP4
Exit Modifications
©2017 Vanguard Integrity Professionals, Inc. 78
USER01
RACF GROUPS
TEST
PROD
DB2AP
DB2PY
DSN3@ATH
DSN3@SGN
DOES GROUP
NAME START
START WITH
"DB2"
PRIMARY ID
USER01
USER01
SQL ID
SECONDARY IDS
DB2AP
DB2PY
CICS / DB2 Resource Definitions
©2017 Vanguard Integrity Professionals, Inc. 79
DB2P
Production
DB2 SystemCONNECTION
EXIT
SIGN-ON
EXIT
Transid Authtype Plan
TRN1 GROUP ACT1234
CSTV GROUP CUST123
PY01 USERID PY00100
CSD
DB2Attachment
CodeTRN1
CICSPRD
CEDA DEFINE DB2ENTRYNote: Only AUTHTYPE(USERID or GROUP)
pass an ACEE to the Security Exit.
AUTHID(…) does not.
CICS / DB2 Resource Definitions
Security improvement for DB2 users:
• The CICS interface with DB2 will provide additional function
when using DB2 and RACF. CICS can be configured to pass
the address of its region user ID Access Control Environment
Element (ACEE) to simplify the recommended migration from
DB2 internal security to using RACF.
• If the ID you specify in SIGNID() matches the CICS region
user ID, and you specify AUTHTYPE(SIGN) for any
command, pool or entry threads, the RACF access control
environment element (ACEE) for the CICS region user ID is
passed to DB2 in CICS TS 4.1 and later.
©2017 Vanguard Integrity Professionals, Inc. 80
Traditional DB2 Security
©2017 Vanguard Integrity Professionals, Inc. 82
DB2P Subsystem
DB2P Catalog
GRANT EXECUTE ON PLAN ACT01234 TO DB2AB
Group DB2AB
needs execute
privilege to the
ACT01234 plan
GRANT
REVOKE
DB2 Admin
RACF Security for DB2 Objects
©2017 Vanguard Integrity Professionals, Inc. 83
RDEFINE
RALTER
PERMIT
RACF
RACFDatabase
RDEF MDSNPN DB2P.ACT01234.EXECUTE OW(DB2ADM) UA(NONE)
PE DB2P.ACT01234.EXECUTE CLASS(MDSNPN) ID(DB2AB) AC(READ)
RACF Admin
Group DB2AB needs execute privilege to the ACT01234 plan
in the DB2P subsystem
RACF Classes For DB2 Objects
©2017 Vanguard Integrity Professionals, Inc. 84
• Bufferpool• Collection• Database• Global Variables• JAR - Java Archive File• Package• Plan• Schema• Sequence• Storage Group• Stored Procedure• System• Table / Index / View• Table Space• User Defined Distinct Type• User Defined Function
MDSNBP GDSNBPMDSNCL GDSNCLMDSNDB GDSNDBMDSNGV GDSNGVMDSNJR GDSNJRMDSNPK GDSNPKMDSNPN GDSNPNMDSNSC GDSNSCMDSNSQ GDSNSQMDSNSG GDSNSGMDSNSP GDSNSPMDSNSM GDSNSMMDSNTB GDSNTBMDSNTS GDSNTSMDSNUT GDSNUTMDSNUF GDSNUF
DB2 Object Type Member Grouping
DB2 Authorization Exit
©2017 Vanguard Integrity Professionals, Inc. 86
DB2 Subsystem AuthorizationExit
Initialization
AuthorizationChecking
Termination
RACF
DB2 Start up
Access to DB2 Objects
DB2 Shutdown
DSNX@XAC
RACFDatabase
Data Space
Data Space
Steps To Implement DSNX@XAC Exit
1. Obtain the RACF Access Control Module – From prefix.SDSNSAMP(DSNXRXAC) – starting with DB2 V8
2. Copy to a private library with name of DSNX@XAC3. Specify the exit options (optional)
– &CLASSOPT– &CLASSNMT– &CHAROPT– &ERROROPT
4. Define DB2 classes in CDT (if exit modified)5. Define RACF profiles - RDEFINE, RALTER, PERMIT6. Activate the DB2 classes7. Assemble and link edit the sample exit
– Modify JEX0003 step of DB2 install job– Run JEX0003 job
8. Start DB2
©2017 Vanguard Integrity Professionals, Inc. 87
Single or Multi-subsystem Scope?
• Multi-Subsystem Scope Classes– Default
– First qualifier is DB2 subsystem name
– No changes to CDT
• Single Subsystem Scope Classes– Optional
– DB2 subsystem name not in profile
– Add classes to CDT
©2017 Vanguard Integrity Professionals, Inc. 88
???
&CLASSOPT&CLASSNMT&CHAROPT&ERROROPT
DSNX@XAC Exit
Security Administrator
System Programmer
I need to know:Class scopePattern of DB2 class namesFormat of RACF profile names
Customizing the DSNX@XAC Exit
©2017 Vanguard Integrity Professionals, Inc. 89
Customization Options for DSNX@XAC
©2017 Vanguard Integrity Professionals, Inc. 90
&CLASSOPT Class Scope
1 = Single-subsystem scope2 = Multi-subsystem scope
&CLASSNMT Class Name Root
1 to 4 characters‘DSN’ is the defaultOnly for &CLASSOPT=2Example: MDB2PTB
&CHAROPT Class Name Suffix
Last character of classname0 - 9, #, @, $Default is ‘1’ Example: MDB2PTB#
Customization Options for DSNX@XAC
©2017 Vanguard Integrity Professionals, Inc. 91
&ERROROPT
1 = Defer to DB2 when an unexpected error occurs2 = Instruct DB2 to terminate when an unexpected error occurs
An unexpected error is:• DSNX@XAC abends• DSNX@XAC returns an unexpected return code• DSNX@XAC instructs DB2 to not call it again
Multi-Subsystem Scope Options
©2017 Vanguard Integrity Professionals, Inc. 92
Class for DB2 Authorities
DSNADM
Example of using the default settings:
Exit options
&CLASSOPT = 2&CLASSNMT = DSN
Classes for DB2 Objects
MDSNTBGDSNTBMDSNPN GDSNPNEtc.
Profile names must be prefixed with DB2 subsystem name
Multi-Subsystem Scope (Default)
©2017 Vanguard Integrity Professionals, Inc. 93
DB2P.U01.TAB123.SELECT
MDSNTB Class
RACF Database
DB2T.U49.TABXYZ.ALTER
DB2T
RACF CDT(No Change)
U01.TAB123
DB2P
.
.
.
.
MDSNTBGDSNTB
.
.
.
.
.
SELECT
MDSNTB Class
U49.TABXYZALTER
TABLE
TABLE
Single-Subsystem Scope Options
©2017 Vanguard Integrity Professionals, Inc. 94
Class for DB2 Authorities
DB2PADM# DB2TADM#
Example of installation-defined classes
Exit options
&CLASSOPT = 1&CLASSNMT = Not Applicable&CHAROPT = #
Classes for DB2 Objects
MDB2PTB# MDB2TTB#GDB2PTB# GDB2TTB#MDB2PPN# MDB2TPN#GDB2PPN# GDB2TPN#Etc. Etc.
Profile names are not prefixed with DB2 subsystem nameClass names must contain DB2 subsystem name
Dynamic CDT
©2017 Vanguard Integrity Professionals, Inc. 95
RDEFINE CDT MDB2PTB#CDTINFO(DEFAULTUACC(NONE)FIRST(ANY) OTHER(ANY)MAXLNTH(100)GROUP(GDB2PTB#)OPER(N0)DEFAULTRC(4)POSIT(526)SIGNAL(YES)RACLIST(REQUIRED))
RDEFINE CDT GDB2PTB#CDTINFO(DEFAULTUACC(NONE)FIRST(ANY) OTHER(ANY)MAXLNTH(100)MEMBER(MDB2PTB#)OPER(N0)DEFAULTRC(4)POSIT(526)SIGNAL(YES)RACLIST(REQUIRED))
Single-Subsystem Scope
©2017 Vanguard Integrity Professionals, Inc. 96
U01.TAB123.SELECT
MDB2PTB# Class
RACF Database
U49.TABXYZ.ALTER
DB2T
U01.TAB123
DB2P
SELECT
MDB2TTB# Class
U49.TABXYZALTER
.
.MDB2PTB#GDB2PTB#
.
.
.MDB2TTB#GDB2TTB#
.
.
RACF CDT ICHRRCDE
TABLE
TABLE
RACF Profile Syntax For DB2 Objects
©2017 Vanguard Integrity Professionals, Inc. 98
U01.TAB123SELECT DB2P.U01.TAB123.SELECT
EXECUTE PLN987 DB2P.PLN987.EXECUTE
MDSNTB Class
MDSNPN Class
RACF DatabaseDB2P
Subsystem
PLAN
TABLE
Privilege Object Subsystem Object Privilege
Profiles For Storage Groups
©2017 Vanguard Integrity Professionals, Inc. 99
DB2-subsystem.storage-group-name.USE
DB2P SubsystemPrivilege
DB2P.STOGRP03.USE
MDSNSG Class
RACF Database
USE
STOGRP03
Profiles for Databases
©2017 Vanguard Integrity Professionals, Inc. 100
DB2-subsystem.database-name.privilege
PAYDBDatabase
DB2P Subsystem
CREATETABCREATETSDISPLAYDBDROPIMAGCOPYLOADRECOVERDBREORGREPAIRSTARTDBSTATS
STOPDB
Privilege
DB2P.PAYDB. *
MDSNDB Class
RACF Database
DB2P.PAYDB.REORG
Profiles for Table Spaces
©2017 Vanguard Integrity Professionals, Inc. 101
DB2-subsystem.database-name.tablespace-name.USE
DB2P Subsystem
Privilege
DB2P.EMPDB.TS456.USE
MDSNTS Class
RACF Database
USE
EMPDB
TS456
Profiles for Tables
©2017 Vanguard Integrity Professionals, Inc. 102
DB2-subsystem.table-qualifier.table-name.privilegeDB2-subsystem.table-qualifier.table-name.column.privilege
DB2P Subsystem
ALTERDELETEINDEXINSERTSELECTREFERENCES UPDATE TRIGGER
Privilege
RACF Database
DB2P.U01.TAB123.SELECT
MDSNTB Class
DB2P.U01.TAB123.INSERT
DB2P.U01.TAB123.DEPTNO.UPDATE
U01.TAB123
Valid privileges for table columns are
REFERENCES and UPDATE
Profiles for Views
©2017 Vanguard Integrity Professionals, Inc. 103
DB2-subsystem.view-qualifier.view.SELECTDB2-subsystem.table-qualifier.table-name.view-qualifier.view. privilege
DB2P Subsystem
SELECT
DELETE INSERT UPDATE
Privilege
RACF Database
DB2P.U01.VIEW789.SELECT
MDSNTB Class
DB2P.U01.TAB123.U01.VIEW789.INSERT
U01.TAB123
U01.VIEW789
Profiles for Plans
©2017 Vanguard Integrity Professionals, Inc. 104
DB2-subsystem.plan-name.privilege
DB2P SubsystemPrivilege
DB2P.PLN987.BIND
MDSNPN Class
RACF Database
BINDEXECUTE PLN987
DB2P.PLN987.EXECUTE
Profiles For Collections
©2017 Vanguard Integrity Professionals, Inc. 105
DB2-subsystem.collection-id.CREATEIN
DB2P SubsystemPrivilege
DB2P.COL345.CREATEIN
MDSNCL Class
RACF Database
CREATEIN
COL345
Profiles for Packages
©2017 Vanguard Integrity Professionals, Inc. 106
DB2-subsystem.collection-id.package-id.privilege
DB2P Subsystem
Privilege
DB2P.COL345.PK456. EXECUTE
DB2P.COL345.PK456.COPY
MDSNPK Class
RACF Database
BINDCOPYEXECUTE
PK456 DB2P.COL345.*. BIND
COL345
Profiles For Buffer Pools
©2017 Vanguard Integrity Professionals, Inc. 107
DB2-subsystem.bufferpool-name.USE
DB2P SubsystemPrivilege
DB2P.BFPOO3.USE
MDSNBP Class
RACF Database
USE
BFP003
Profiles for Schemas
©2017 Vanguard Integrity Professionals, Inc. 108
DB2-subsystem.schema-name.CREATINDB2-subsystem.schema-name.object-name.ALTERINDB2-subsystem.schema-name.object-name.DROPIN
DB2P Subsystem
CREATINALTERINDROPIN
Privilege
RACF Database
DB2P. ACME.CREATIN
MDSNSC Class
DB2P.ACME.PROC1.ALTERIN
DB2P.ACME.FCN07.DROPIN
Stored Procedure
PROC1
ACME Schema
FCN07
User Defined Function
Profiles for Stored Procedures
©2017 Vanguard Integrity Professionals, Inc. 109
DB2-subsystem.schema-name.procedure-name.privilege
DB2P Subsystem
Privilege
DB2P. ACME.PROC2. EXECUTE
MDSNSP Class
RACF Database
DISPLAYEXECUTE
DB2P.ACME.*.DISPLAY
PROC2
ACME Schema
PROC1
Stored Procedures
Profiles for User Defined Functions
©2017 Vanguard Integrity Professionals, Inc. 110
DB2-subsystem.schema-name.function-name.privilege
User Defined Function
DB2P Subsystem
Privilege
DB2P.ACME.FCN07.EXECUTE
MDSNUF Class
RACF Database
DISPLAYEXECUTE FCN07
DB2P.ACME.*.DISPLAY
ACME Schema
DB2P.*.*.DISPLAY
Profiles for User Defined Distinct Types
©2017 Vanguard Integrity Professionals, Inc. 111
DB2-subsystem.schema-name.type-name.USAGE
User Defined Type
DB2P Subsystem
Privilege
DB2P.ACME.PRICE.USAGE
MDSNUT Class
RACF Database
USAGEPRICE
DB2P.ACME.*.USAGE
ACME Schema
Profiles for Sequence
©2017 Vanguard Integrity Professionals, Inc. 112
DB2-subsystem.schema-name.sequence-name.privilege
DB2P Subsystem
Privilege
RACF Database
Sequence
SEQ987
ACME Schema
DB2P.ACME.SEQ987.ALTER
MDSNSQ Class
DB2P.ACME.*.USAGE
ALTERALTERIN USAGE
Profiles for Java Archive
©2017 Vanguard Integrity Professionals, Inc. 113
DB2-subsystem.schema-name.JAR-name.USAGE
DB2P Subsystem
Privilege
RACF Database
Java Archive
JAR123
ACME Schema
DB2P. ACME.JAR123.USAGE
MDSNJR Class
DB2P.ACME.*.USAGE
USAGE
Profiles for Global Variables
©2017 Vanguard Integrity Professionals, Inc. 114
DB2-subsystem.schema-name.variable-name.privilege
DB2P Subsystem
Privilege
RACF Database
Variable
VAR123
ACME Schema
DB2P.ACME.VAR123.WRITE
MDSNGV Class
DB2P.ACME.*.READ
READ WRITE
Profiles for System Privileges
©2017 Vanguard Integrity Professionals, Inc. 115
DB2-subsystem.privilegeDB2-subsystem.package-owner.BINDAGENT
DB2P SubsystemPrivilege
RACF DatabaseARCHIVEBINDADDBINDAGENTBSDSCREATEALIASCREATEDBACREATEDBCCREATESGCREATETMTABDISPLAYEXPLAINMONITOR1MONITOR2RECOVERSTOPALLSTOSPACESQLADMTRACE
MDSNSM Class
DB2P.CREATEDBA
DB2P.SQLADM
DB2P.*
SystemPrivileges
Profiles for Database Authority
©2017 Vanguard Integrity Professionals, Inc. 116
DB2P.PAYDB.DBADM
DSNADM Class
RACF DatabaseDB2P Subsystem
PAYDBDatabase
DB2-subsystem.Database-name.authority
DatabaseAuthority
DBCTRL
DBADM
DBMAINT
DB2P.PAYDB.DBCNTL
DB2P.PAYDB.DBMAINT
Profiles for Package Authorities
©2017 Vanguard Integrity Professionals, Inc. 117
DB2-subsystem.collection-id.PACKADM
DB2P Subsystem
PackageAuthority
DB2P.COL345.PACKADM
DSNADM Class
RACF Database
PACKADMPACK456
COL345
Profiles for System Authorities
©2017 Vanguard Integrity Professionals, Inc. 118
DB2-subsystem.authority
DB2P SubsystemSystemAuthority
RACF Database
DB2P.ACCESSCTRL
DSNADM Class
DB2P.SYSDBADM
DB2P.SYSADM
SystemAuthorities
ACCESSCTRLDATAACCESSSECADMSYSADMSYSCTRLSYSDBADMSYSOPR
Access Control With RACF
• To access a DB2 object requires:
©2017 Vanguard Integrity Professionals, Inc. 120
OwnershipPrivilege to
ObjectAdministrative
Authority
- or - - or -
Authorization Exit Example
©2017 Vanguard Integrity Professionals, Inc. 121
DB2P Subsystem
Does the user ARTH have INSERT
privilege to the table PAYID.EMPL in
the PAYDB database?
Check Privilege
RC = 8
DSNADM Class
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
No
RACF
RC=0
No
Owner?ARTH = PAYID Data Space
Access Control Module
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)RC
8
DBADM Authority?
SYSADM Authority?
Set RC 8
RC
RC
RC=0
No
8
8
RC
8
DATAACCES Authority?
RC=0
No
DSNADM Class
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
DSNX@XAC Exit Return Codes
©2017 Vanguard Integrity Professionals, Inc. 122
Object Profile DSNADM Profile
0 Not Applicable 0
4 0 0
4 4 4
4 8 4
8 0 0
8 4 8
8 8 8
Return Codes from RACFReturn Code
passed to DB2
Implicit Privileges for Table Ownership
©2017 Vanguard Integrity Professionals, Inc. 123
Set RC
Isuser ID of accesser
equal to ownerof table?
IsCurrent SQL ID
equal to owner of table?
Check RACF Profiles
Yes
Yes
No
No
RC = 0
AccessRequest
Set RACF RC
RACF
DSNX@XAC
Access Allowed By Ownership
©2017 Vanguard Integrity Professionals, Inc. 124
DB2P Subsystem
Check Privilege
DBADM Authority?
SYSADM Authority?
DSNADM Class
DSNADM Class
Yes
RACF
RC=0
Owner?PAYID = PAYID Data Space
Access Control Module
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DATAACCES Authority?
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
Does PAYID have INSERT privilege
to the table PAYID.EMPL in the
PAYDB database?
RC = 0
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
Access Allowed By Object Profile
©2017 Vanguard Integrity Professionals, Inc. 125
DB2P Subsystem
Check Privilege
No
RACFOwner?
PHILE = PAYID Data Space
Access Control Module
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)RC
0Does the user PHILE have INSERT
privilege to the table PAYID.EMPL in
the PAYDB database?
RC = 0
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
Set RC 0 RC=0Yes
DBADM Authority?
SYSADM Authority?
DSNADM Class
DSNADM Class
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DATAACCES Authority?
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
Access Allowed By SYSADM Profile
©2017 Vanguard Integrity Professionals, Inc. 126
DB2P Subsystem
Check Privilege
DBADM Authority?
SYSADM Authority?
Set RC 0
No
RACF
RC
RC
RC=0
No
Owner?JULIE = PAYID
RC=0
No
Data Space
Access Control Module
8
0
RC
8
DATAACCES Authority?
RC=0
No
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)RC
8Does the user JULIE have INSERT
privilege to the table PAYID.EMPL in
the PAYDB database?
RC = 0
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
DSNADM Class
DSNADM Class
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
Access Allowed By DBADM Profile
©2017 Vanguard Integrity Professionals, Inc. 127
DB2P Subsystem
Check Privilege
No
RACF
RC=0
No
Owner?JOHNH = PAYID Data Space
Access Control Module
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)RC
8Does the user JOHNH have INSERT
privilege to the table PAYID.EMPL in
the PAYDB database?
RC = 0
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
Set RC 0
DBADM Authority?
SYSADM Authority?
DATAACCES Authority?
DSNADM Class
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
RC
0
DSNADM Class
Unprotected Object - Defer To DB2
©2017 Vanguard Integrity Professionals, Inc. 128
DB2P Subsystem
Check Privilege
DSNADM Class
No
RACF
RC=0
No
Owner?JOEM = PAYID Data Space
Access Control Module
MDSNTB Class
RC
4Does the user JOEM have SELECT
privilege to the table PAYID.REG in
the PAYDB database?
RC = 4
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
NO PROFILE FOUND
DBADM Authority?
SYSADM Authority?
Set RC 4
RC
RC
RC=0
No
8
8
RC
8
DATAACCES Authority?
RC=0
No
DSNADM Class
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
DB2P.SYSADM
UA(NONE) JULIE(READ)
DSNADM Class
DB2P.DATAACCESS
UA(NONE) JIMM(READ)
DB2 Access Events Logged to SMF
Violations
• RACF has checked all object profiles• RACF has checked all authority profiles• The final resulting return code is 8• AUDIT(FAILURES) in object profile
Successes
• A RACF profile has allowed access (RC=0)• AUDIT(SUCCESS) in profile
©2017 Vanguard Integrity Professionals, Inc. 129
How and What and Where DB2 Caches
• Successful access to objects
– Plans, Packages, or Routines (user-defined functions and
stored procedures)
– The cache entry is very specific
• JIMM has EXECUTE on plan WXYZ
• BOBS has EXECUTE on plan ABCD
– DB2 does NOT cache HOW you got the access
• User has DBADM or SYSADM
• Cache updated no matter how the access was
granted
– DBADM, SYSADM, or explicit
• Internal to DB2
– The RACF exit is not called if there is a hit in the cache
©2017 Vanguard Integrity Professionals, Inc. 131
To ADD an Access Permission
• Do a RACF PERMIT command
– PE DB2P.ABCD.EXECUTE CL(MDSNPN) ID(TSJH01)
AC(READ)
– NOTE: since the class is globally RACLISTED, no
Warning message to RACLIST refresh is issued
• Issue SETR refresh command
– SETR RACLIST(MDSNPN) REFRESH
– If NOT in SYSPLEX communications mode, do on all
LPARS
• Change will take effect as soon as the refresh is
done
©2017 Vanguard Integrity Professionals, Inc. 132
To REMOVE an Access Permission
This gets VERY tricky!!
• Assume– TSJH01 was permitted EXECUTE to Plan ABCD
– TSJH01 has actually executed the plan since DB2 was last started
• Issue RACF permit delete command and refresh– PE DB2P.ABCD.EXECUTE CL(MDSNPN) ID(TSJH01)
DELETE
– SETR RACLIST(MDSNPN) REFRESH
• TSJH01 will still be able to execute the PLAN!– You will have to issue internal DB2 GRANT and REVOKE
commands to flush the cache
– Each REVOKE will only flush that explicit entry in the Cache
©2017 Vanguard Integrity Professionals, Inc. 133
Enhanced Cache Management - DB2 V11
• The AUTHEXIT_CACHEREFRESH subsystem
parameter specifies whether the cache entries are to
be refreshed.
• The cache entries are refreshed only when the
access control authorization exit (DSNX@XAC) is
active.
• The resource class must have SIGNAL=YES
defined in the CDT.
• SETR RACLIST(MDSNPN) REFRESH will refresh
the cache.
©2017 Vanguard Integrity Professionals, Inc. 134
Migrating from DB2 to RACF Security
©2017 Vanguard Integrity Professionals, Inc. 136
RACF/DB2Migration Utility
How can I convert fromDB2 security to RACF security?
Let’s use the DB2 to RACF Migration Utility!
DB2 to RACF Migration Tool
©2017 Vanguard Integrity Professionals, Inc. 137
DB2 Authorization TablesSYSIBM . SYSCOLAUTHSYSIBM . SYSDBAUTHSYSIBM . SYSPACKAUTHSYSIBM . SYSPLANAUTHSYSIBM . SYSRESAUTHSYSIBM . SYSROUTINEAUTHSYSIBM . SYSSEQUENCEAUTHSYSIBM . SYSSCHEMAAUTHSYSIBM . SYSTABAUTHSYSIBM . SYSUSERAUTHSYSIBM . SYSVARIABLEAUTH
RACFDB2 Utility
JCLEXECDocumentation
Output
RCF.RACFDB2.CONVCLST
RDEF ……....RALT ……....PERMIT …...RDEF ……….PERMIT …...RDEF ……….……………….
DB2 Subsystem RACF Database
DSNADM Class
MDSNTB Class
MDSNPN Class
Running the RACFDB2 Utility
• Download the RACF to DB2 utility via WWW or FTP
• Specify values for
– DB2 subsystem name
– Owner of profiles
– Class name root
– Single subsystem or multi-subsystem
– Last character of classname
• User who runs tool must have SELECT privilege on
the SYSIBM.SYSxxxAUTH tables
©2017 Vanguard Integrity Professionals, Inc. 138
Migration to RACF Security
• RACF commands are generated for 9 of the 16 DB2
Object types, and DB2 Authorities
• Not all DB2 Object types are handled:
– Global Variables
– Java Archive files (JARs)
– Schemas
– Sequences
– Stored Procedures
– User Defined Distinct Types
– User Defined Functions
• Privileges higher than SELECT to a VIEW not
processed correctly
©2017 Vanguard Integrity Professionals, Inc. 139
Profiles Generated by RACFDB2 Utility
• Builds RDEFINE commands for all objects, privileges and
authorities
• AUDIT(ALL(READ)) is set for DB2 administrative authorities
• UACC is set to READ if granted to PUBLIC
• PERMIT with ACCESS(READ) if authorized without GRANT
• PERMIT with ACCESS(ALTER) if authorized with GRANT
• All profiles are defined in member classes
©2017 Vanguard Integrity Professionals, Inc. 140
Executing the Commands Generated
• Consider replacing many discrete profiles!– Use generic profiles?
– Use some grouping profiles?
– Use RACFVARS variable?
• Execute the generated RACF commands
• Customize the DSNX@XAC exit
• Activate the DB2 general resource classes
• Activate the DSNX@XAC exit
• Administer DB2 security with RACF
©2017 Vanguard Integrity Professionals, Inc. 141
Considerations
• Any tools that use the security tables in DB2 catalog?
• There are some differences between DB2 and RACF security
– See DB2 UDB RACF Access Control Module Guide
– PUBLIC*
– Implicit privileges of ownership
– DROP and ALTER Index
– CREATETMTAB privilege
– CREATE VIEW privilege
– “Any table” privilege
– WITH GRANT OPTION
©2017 Vanguard Integrity Professionals, Inc. 142
Benefits of RACF Security for DB2
• Provides a single point of control for RACF and DB2 security administration
• RACF models DB2 security privileges and administrative authorities
• Provides flexibility for multiple DB2 subsystems with a single set of RACF profiles
• Security rules are independent of DB2 objects
– Can define RACF profiles before object is created
– RACF profiles continue to exist after object is dropped
– Allows you to validate a user ID before giving it access to a DB2 object
©2017 Vanguard Integrity Professionals, Inc. 144
Cascading Revokes
• WITH GRANT OPTION
• Cascading revokes also affect objects owned by users.
When a user is deleted from DB2, resources and
authorizations to use them are deleted as well.
©2017 Vanguard Integrity Professionals, Inc. 145
Benefits of RACF Security for DB2
• No cascading revoke
• Protect multiple objects via generics, grouping
profiles, and RACFVARS
• One or several sets of general resource classes
• Conversion utility to assist implementation
• Can implement in phases by type of DB2 object
©2017 Vanguard Integrity Professionals, Inc. 146
Bibliography for DB2 Version 9.1
• DB2 V9.1 for z/OS RACF Access Control Module Guide,
SC18-9852
• DB2 V9.1 for z/OS Administration Guide, SC18-9840
• DB2 V9.1 for z/OS SQL Reference, SC18-9854
• DB2 V9.1 for z/OS Command Reference, SC18-9844
• DB2 V9.1 for z/OS Utility Guide and Reference, SC18-9855
• z/OS Security Server RACF Administrator’s Guide, SA22-7683
• z/OS Security Server RACF System Programmer’s Guide, SA22-7681
• z/OS Security Server RACF Auditor’s Guide, SA22-7684
• z/OS Version 1 Release 8 RACF Implementation, SG24-7248-00,
(Redbook) – Chapter 4 - RACF and the DB2 access control module
©2017 Vanguard Integrity Professionals, Inc. 147
Bibliography for DB2 Version 10
• DB2 10 for z/OS RACF Access Control Module Guide,
SC19-2982
• DB2 10 for z/OS Administration Guide, SC19-2968
• DB2 10 for z/OS SQL Reference, SC19-2983
• DB2 10 for z/OS Command Reference, SC19-2972
• DB2 10 for z/OS Utility Guide and Reference, SC19-2984
• DB2 10 for z/OS What’s New?, GC19-2985
• z/OS Security Server RACF Administrator’s Guide, SA22-7683
• z/OS Security Server RACF System Programmer’s Guide, SA22-7681
• z/OS Security Server RACF Auditor’s Guide, SA22-7684
• z/OS Version 1 Release 8 RACF Implementation, SG24-7248-00,
(Redbook) – Chapter 4 - RACF and the DB2 access control module
©2017 Vanguard Integrity Professionals, Inc. 148
Bibliography for DB2 Version 11
• DB2 11 for z/OS RACF Access Control Module Guide,
SC19-4065
• DB2 11 for z/OS Administration Guide, SC19-4050
• DB2 11 for z/OS SQL Reference, SC19-4066
• DB2 11 for z/OS Command Reference, SC19-4054
• DB2 11 for z/OS Utility Guide and Reference, SC19-4067
• DB2 11 for z/OS What’s New?, GC19-2985
• DB2 11 for z/OS Technical Overview, SG24-8180-00, (Redbook)
• z/OS Security Server RACF Administrator’s Guide, SA23-2289
• z/OS Security Server RACF System Programmer’s Guide, SA23-2287
• z/OS Security Server RACF Auditor’s Guide, SA23-2290
©2017 Vanguard Integrity Professionals, Inc. 149