DB2-RACF Question

Brunner Don J

DB2-RACF Question
For those who have migrated an existing DB2 subsystem from
DB2 internal security to RACF, I have a question concerning
rows in table SYSIBM.SYSROUTINEAUTH. How do you migrate
rows in that table that have a GranteeType of P (which
indicates that the Grantee is either a Package or Plan)?

We have a Stored Procedure which is called from within a
Package. An entry exists in SYSIBM.SYSROUTINEAUTH with a
Grantee of the Package name. Execute authority has also
been granted on this Stored Procedure to several users.

Creating a RACF profile to cover this Stored Procedure would
seem to entail also having to define the Package name as a
RACF user in order to be able to place it on the access list.
If in fact that's true, that seems to be another shortfall of
using RACF for DB2 security.

Bill Gallagher

Re: DB2-RACF Question
(in response to Brunner Don J)
Don,

It seems like we would have run into a similar problem with SYSPACKAUTH,
since it also has a GRANTEETYPE of 'P' in that table. We never
specifically addressed that issue when we migrated to RACF security for
DB2, and have not experienced any problems at all in the two years or so
since we completed out migration, so my guess is that it's not a going to
be a problem.

We're only using stored procedures for some system maintenance functions
(our applications folks have not had any interest in stored procedures,
despite my attempts at "marketing" them), so we haven't had any real
opportunities to experience any RACF security issues with stored
procedures.

-------------------------------------------------------------------------------------------------------


Bill Gallagher, DBA
Phoenix Life Insurance
Enfield, CT 06083

IBM Certified Solutions Expert - DB2 UDB v7.1 Database Administration for
OS/390
IBM Certified Solutions Expert - DB2 UDB v7.1 Database Administration for
UNIX, Windows, and OS/2




"Brunner Don
J" To: [login to unmask email]
<Don.J.Brunne cc:
[login to unmask email]> Subject: DB2-RACF Question
Sent by: "DB2
Data Base
Discussion
List"
<[login to unmask email]
OM>


01/03/02
12:27 PM
Please
respond to
"DB2 Data
Base
Discussion
List"








For those who have migrated an existing DB2 subsystem from
DB2 internal security to RACF, I have a question concerning
rows in table SYSIBM.SYSROUTINEAUTH.  How do you migrate
rows in that table that have a GranteeType of P (which
indicates that the Grantee is either a Package or Plan)?

We have a Stored Procedure which is called from within a
Package.  An entry exists in SYSIBM.SYSROUTINEAUTH with a
Grantee of the Package name.  Execute authority has also
been granted on this Stored Procedure to several users.

Creating a RACF profile to cover this Stored Procedure would
seem to entail also having to define the Package name as a
RACF user in order to be able to place it on the access list.
If in fact that's true, that seems to be another shortfall of
using RACF for DB2 security.