PeopleSoft security and RACF security

Dayna Brennan

PeopleSoft security and RACF security
Melissa,

Yes, when SET SQLID = tableowner, that person will have all the implicit
authorities of the table owner. However, PeopleSoft strictly controls the
panels which any specific user is allowed to execute, this is done via
PeopleTools tables. So even though loser1 can SET SQLID = tableowner, if
they can only execute SELECT panels via PeopleSoft, they will only be able
to SELECT. Of course, outside of PeopleSoft, if they can SET SQLID =
tableowner, they can do anything they want to via SPUFI, QMF, etc. Your
DBAs and Security people need to work closely to make sure that the SET
only works when issued by PeopleSoft code.

Yes, it's a little confusing, I was nervous too when I first saw this, but
it does work.
Good luck to you

Dayna Thomas, DB2 DBA Blue Cross Blue Shield

===============

Date: Wed, 2 Jan 2002 12:12:36 -0500
From: Melissa Rogers <[login to unmask email]>
Subject: using SET SQLID with PEOPLESOFT

Being new to DB2 (DB2 version 6 OS/390), we have not encountered a need to
use the SET SQLID command. I am having a little difficulty in
understanding
when to use the command and how it will affect our implemented RACF
security
(using secondary authids) that we have defined for DB2. Currently, our 3
DB2
DBA's have SYSADM authority in both RACF and DB2 internal security. It is
the DBA's responsibility to create all DB2 objects. The high level
qualifiers for tables and indexes are simply labels, either TST (test) or
PRD (prod).
Now, we are preparing to implement PEOPLESOFT which suggests that the set
current sqlid command will be issued to set the sqlid to the owner id. If
the sqlid gets set to the owner id, won't all the implicit privileges that
an owner has be given to the user? What affects does this have with RACF
security? I would really appreciate any information on how other people
have
implemented security with PEOPLESOFT. The more I read, the more confused
I'm getting!!! Thanks in advance

Troy Coleman

Re: PeopleSoft security and RACF security
(in response to Dayna Brennan)
Hi Melissa,
What version of PeopleSoft People Tools are you installing? My hope is 8.x.
Prior to version 8.x I had always created the table owner with a RACF group
that is owned by the DBA's like PHTADB for "PeopleSoft HRMS Test Version A
DBA owner", I would then create another group used by the Access-ID. This
group would be PHTA. The first thing I did as a DBA is to create an ALIAS
for PHTA pointing to PHTADB. I would then GRANT select,update,insert,delete
on PHTADB tables to PHTA. As for the developers accessing the tables outside
of PeopleSoft I would create another group called PHTADEV and give them
select,insert,update, and delete. At some point you may even give this group
load and runstats authority. Well I did this in my first version 8 upgrade.
I ran the SETSPACE SQR and it was trying to set all the tablespaces to a
DSNxx name because that is what IBM puts in the tablespace name on rows in
sysibm.systables with a type = 'A' for alias. This was not good. Well I
found out that in PeopleSoft 8 you can restrict the developers to only
creating the scripts in a project and not run them. You do this using
permissions. I don't have the menu options in front of me. If you need more
details please let me know.
In summary when installing PeopleSoft Tools V8.x I would create the table
owner as PHTA and give the Access-Id PHTA as a secondary group. So in
PSDBOWNER you would have PHTA as the table owner. You will have to trust
the PeopleSoft System Administrator with your rules for DB2 object creation.
Second put the developers in another RACF group like "PHTADEV" and give them
the privileges they need. The reason you do not want the developers in the
PHTA group is because they would have implicit privilege to drop and create
DB2 objects "Tables, Views, Indexes".
Good Luck,



Troy Coleman
Coleman Consulting, Inc.

IBM Certified Solutions Expert - DB2 V7.1 Database Administrator for OS/390
IBM Certified Advanced Technical Expert DB2 - DRDA
IBM Certified Solutions Expert - DB2 UDB V5 Database Administrator

907 W. Dorset Ave.
Palatine, IL 60067
(847) 722-2698
email: [login to unmask email]