BIND SECURITY ISSUES

Melissa Rogers

BIND SECURITY ISSUES
Our shop uses DB2 OS/390 version 6 and RACF security. Our DBA's have SYSADM
authority and they responsible for performing all initial binds. Currently
the only authority (granted through a RACF profile) the programmers have is
to execute packages and plans in test. We have not granted the bindagent,
bindadd or bind privilege to anyone yet however the programmers are able to
(re)bind their programs after the DBA's have performed the initial bind.
The programmers do get a RACF error if they try to perform an initial bind.
Any ideas on why they can perform additional binds????



Ashish Mohan

Re: BIND SECURITY ISSUES
(in response to Tim Lowe)
Hmm...interesting...Any secondary authid of the programmers which has a
BIND/BINDAGENT authority??

Ashish.

-----Original Message-----
From: Melissa Rogers [mailto:[login to unmask email]
Sent: Thursday, January 10, 2002 12:05 PM
To: [login to unmask email]
Subject: BIND SECURITY ISSUES

Our shop uses DB2 OS/390 version 6 and RACF security. Our DBA's have SYSADM
authority and they responsible for performing all initial binds. Currently
the only authority (granted through a RACF profile) the programmers have is
to execute packages and plans in test. We have not granted the bindagent,
bindadd or bind privilege to anyone yet however the programmers are able to
(re)bind their programs after the DBA's have performed the initial bind.
The programmers do get a RACF error if they try to perform an initial bind.
Any ideas on why they can perform additional binds????








Tim Lowe

Re: BIND SECURITY ISSUES
(in response to Melissa Rogers)
Melissa,
Have you checked the owner parameter on the bind against RACF to see if
they belong to a group of that name?

Thanks, Tim



Melissa Rogers
<[login to unmask email] To: [login to unmask email]
ATE.NY.US> cc:
Sent by: DB2 Data Subject: BIND SECURITY ISSUES
Base Discussion
List
<[login to unmask email]>


01/10/2002 02:05
PM
Please respond to
DB2 Data Base
Discussion List






Our shop uses DB2 OS/390 version 6 and RACF security. Our DBA's have
SYSADM
authority and they responsible for performing all initial binds. Currently
the only authority (granted through a RACF profile) the programmers have is
to execute packages and plans in test. We have not granted the bindagent,
bindadd or bind privilege to anyone yet however the programmers are able to
(re)bind their programs after the DBA's have performed the initial bind.
The programmers do get a RACF error if they try to perform an initial bind.
Any ideas on why they can perform additional binds????








Walter Jani&#223;en

Re: BIND SECURITY ISSUES
(in response to Ashish Mohan)
Melissa

Initial Bind: Do you mean, bind a package or a plan for the first time, i.e
the plan or package is brand new? If that is the case, the programmer needs
BINDADD-authority (a system privilege) or BINDAGENT-authority from a user,
who is allowed to bind a new package or plan. For packages the user has to
have CREATEIN- or PACKADM-authority for the collections, the package will
be bound into.

Additinal Bind: Do you mean rebind an existing plan or package?. If that is
the case, the programmer needs BIND-authority on the package or plan, i.e.
a package- or plan-privilege, which must be granted for every package or
plan by the owner.



Melissa Rogers

Re: BIND SECURITY ISSUES
(in response to Walter Janißen)
I am not using an owner parameter on the bind, only a qualifier. Could that
be a problem? The programmers all belong to a RACF group. Currently there
are only 2 profiles defined in RACF for the class MDSNPN. The first one is
DB2T.*.EXECUTE which the programmer group has authority to and the other one
is a catch-all profile, DB2T.** which only the DBA and Technical support
groups belong to. I, as a DBA, did the bind for the first time and did not
perform any grants in DB2 for this plan. Any ideas??

-----Original Message-----
From: [login to unmask email] [mailto:[login to unmask email]
Sent: Thursday, January 10, 2002 4:03 PM
To: [login to unmask email]
Subject: Re: BIND SECURITY ISSUES


Melissa,
Have you checked the owner parameter on the bind against RACF to see if
they belong to a group of that name?

Thanks, Tim



Melissa Rogers
<[login to unmask email] To: [login to unmask email]
ATE.NY.US> cc:
Sent by: DB2 Data Subject: BIND SECURITY
ISSUES
Base Discussion
List
<[login to unmask email]>


01/10/2002 02:05
PM
Please respond to
DB2 Data Base
Discussion List






Our shop uses DB2 OS/390 version 6 and RACF security. Our DBA's have
SYSADM
authority and they responsible for performing all initial binds. Currently
the only authority (granted through a RACF profile) the programmers have is
to execute packages and plans in test. We have not granted the bindagent,
bindadd or bind privilege to anyone yet however the programmers are able to
(re)bind their programs after the DBA's have performed the initial bind.
The programmers do get a RACF error if they try to perform an initial bind.
Any ideas on why they can perform additional binds????