SYSADM revokes...

Charles Valentin

SYSADM revokes...
Hi Group, 01/06/00

We've been asked by our Auditors to clean up "obsolete"
SYSADM's defined to DB2 (we have numerous sysadm id's).
I seem to recall sometime ago there was a discussion on
revoking these id's "without" causing a cascading effect on
priviliges granted to id's. Can anyone refresh my memory
on the procedure to do this? We have BMC Opertune product
installed and I believe the idea is to grant install SYSADM
to Userid being revoked, revoking sysadm from Userid
and then removing install sysadm from said Userid.
Am I missing anything? Opertune will allow me to add/remove
install sysadm id's dynamically, so I won't have to re-assemble
zparm & recycle DB2 after each id is defined as install sysadm.
Any help or recommendations wolud be greatly appreciated.

TIA,
CharlesV.



James Campbell

Re: SYSADM revokes...
(in response to Charles Valentin)
Charles,

- create a new ZPARM which defines the userid as an install sysadm
- restart db2 with the new ZPARM
- revoke sysadm from the userid. Since the userid is still a sysadm (ie
an install sysadm), there's no cascade revoke

You should switch to having a group-id as your sysadm id. Then this
problem goes away.

/* standard disclaimer */
James Campbell
DBA
Hansen Corporation, Doncaster
+61 3 9840 3864
[login to unmask email] -----Original Message-----
From: Charles Valentin [mailto:[login to unmask email]
Sent: Friday, January 07, 2000 10:41 AM
To: [login to unmask email]
Subject: SYSADM revokes...


Hi Group, 01/06/00

We've been asked by our Auditors to clean up "obsolete"
SYSADM's defined to DB2 (we have numerous sysadm id's).
I seem to recall sometime ago there was a discussion on
revoking these id's "without" causing a cascading effect on
priviliges granted to id's. Can anyone refresh my memory
on the procedure to do this? We have BMC Opertune product
installed and I believe the idea is to grant install SYSADM
to Userid being revoked, revoking sysadm from Userid
and then removing install sysadm from said Userid.
Am I missing anything? Opertune will allow me to add/remove
install sysadm id's dynamically, so I won't have to re-assemble
zparm & recycle DB2 after each id is defined as install sysadm.
Any help or recommendations wolud be greatly appreciated.

TIA,
CharlesV.



the DB2-L webpage at http://www.ryci.com/db2-l. The owners of the list
can