DB2 Connect, TRACE, and RACF

Kevin Arnold

DB2 Connect, TRACE, and RACF
We are running DB2 v8 and DB2 Connect v8.1.7.445. We are in the process of converting to RACF security (and yes, I did post this to the RACF list too). I am not a DBA, but the RACF manager so please be nice! :)

The DSNSAMP(DSNTIJCC) says that to use Connect you must have "TRACE AND SYSOPR, SYSCTRL, OR SYSADM". We have developers and other people who ideally would not have the TRACE authority not to mention the entire SYSOPR group. When someone simply connects to DB2 on z/OS, we get a single RACF violation to TRACE. If we then click CATALOG TABLES to get the list of tables, we get 6 more security violations. Functionality in DB2 Connect is not affected that I can tell.

Why would DB2 Connect want the TRACE authority? Would it be a problem (performance or otherwise) to simply deny these TRACE requests?

Regards,
Kevin
614-224-8204


CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends this e-mail message, and any attachments, to be used only by the person(s) or entity to which it is addressed. This message may contain confidential and/or legally privileged information. If the reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating or distributing this communication. If you received this communication in error, please delete it from your computer and notify the sender by reply e-mail.


---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Myron Miller

Re: DB2 Connect, TRACE, and RACF
(in response to Kevin Arnold)
You have a slight misinterpretation here. Your normal DB2 connect users don't
need any of these authorities to connect to DSNT. They do need execute access
to some of the special stored procedures in DSNTIJCC that DB2 connect uses.

Only those people that will be using DB2 Connect Control Center to actually
control DB2, ie do DB2 system or DBA type functions need these authorities and
I suspect most of them have them already. If they don't have it already, then
they don't need it.

I've got several hundred users and developers without any of these privileges
using DB2 connect without these privileges so I know it can be done.

Myron

--- "Arnold, Kevin" <[login to unmask email]> wrote:

> We are running DB2 v8 and DB2 Connect v8.1.7.445. We are in the process of
> converting to RACF security (and yes, I did post this to the RACF list too).
> I am not a DBA, but the RACF manager so please be nice! :)
>
> The DSNSAMP(DSNTIJCC) says that to use Connect you must have "TRACE AND
> SYSOPR, SYSCTRL, OR SYSADM". We have developers and other people who ideally
> would not have the TRACE authority not to mention the entire SYSOPR group.
> When someone simply connects to DB2 on z/OS, we get a single RACF violation
> to TRACE. If we then click CATALOG TABLES to get the list of tables, we get
> 6 more security violations. Functionality in DB2 Connect is not affected
> that I can tell.
>
> Why would DB2 Connect want the TRACE authority? Would it be a problem
> (performance or otherwise) to simply deny these TRACE requests?
>
> Regards,
> Kevin
> 614-224-8204
>
>
> CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends
> this e-mail message, and any attachments, to be used only by the person(s) or
> entity to which it is addressed. This message may contain confidential and/or
> legally privileged information. If the reader is not the intended recipient
> of this message or an employee or agent responsible for delivering the
> message to the intended recipient, you are hereby notified that you are
> prohibited from printing, copying, storing, disseminating or distributing
> this communication. If you received this communication in error, please
> delete it from your computer and notify the sender by reply e-mail.
>
>
>
---------------------------------------------------------------------------------
> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home
> page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select
> "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org.
> The IDUG List Admins can be reached at [login to unmask email] Find
> out the latest on IDUG conferences at http://conferences.idug.org/index.cfm
>

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Kevin Arnold

Re: DB2 Connect, TRACE, and RACF
(in response to Myron Miller)
>You have a slight misinterpretation here. Your normal DB2 connect users don't
>need any of these authorities to connect to DSNT. They do need execute access
>to some of the special stored procedures in DSNTIJCC that DB2 connect uses.

>Only those people that will be using DB2 Connect Control Center to actually
>control DB2, ie do DB2 system or DBA type functions need these authorities and
>I suspect most of them have them already. If they don't have it already, then
>they don't need it.

No doubt there is a disconnect. They do have EXECUTE auth to the needed procedures. What you describe is what I would expect but we are definitely getting violations in the RACF MDSNSM.TRACE class just by signing on and displaying the system catalog. And the doc DOES seem to say TRACE is required - maybe they mean if you are going to use full functionality - I don't know. We are asking IBM about it as well.

Perhaps my trace accounting records or something else in our trace has something to do with this? Thanks!

Regards,
Kevin
614-224-8204



CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends this e-mail message, and any attachments, to be used only by the person(s) or entity to which it is addressed. This message may contain confidential and/or legally privileged information. If the reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating or distributing this communication. If you received this communication in error, please delete it from your computer and notify the sender by reply e-mail.


---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Roger Miller

Re: DB2 Connect, TRACE, and RACF
(in response to Kevin Arnold)
This is not to install or use DB2 Connect. These stored procedures are
used for a number of tools. The documentation you should be using is in
the Installation Guide, a section Enabling DB2 Control Center procedures,
Acrobat page 312 for me.

I think the line you are reading is:

IFCID REQUIRES TRACE PRIVILEGE AND SYSOPR, SYSCTRL,
OR SYSADM AUTHORIZATION:

IFCID is a trace. To use it, you have to have the TRACE authority or
SYSADM or SYSCTRL or SYSOPR. Your programmers should not have those
authorities, in general. If you have your operators sign on, then you can
decide which authority they have. If operators are allowed to use
consoles without signing on (your choice), then they will be SYSOPR.

Using RACF means that you are using an exit, and if you want additional
changes, then you can make them.

Roger Miller

On Fri, 2 Dec 2005 10:59:41 -0500, Arnold, Kevin <[login to unmask email]> wrote:

>We are running DB2 v8 and DB2 Connect v8.1.7.445. We are in the process
of converting to RACF security (and yes, I did post this to the RACF list
too). I am not a DBA, but the RACF manager so please be nice! :)



The DSNSAMP(DSNTIJCC) says that to use Connect you must have "TRACE AND
SYSOPR, SYSCTRL, OR SYSADM". We have developers and other people who
ideally would not have the TRACE authority not to mention the entire
SYSOPR group. When someone simply connects to DB2 on z/OS, we get a
single RACF violation to TRACE. If we then click CATALOG TABLES to get
the list of tables, we get 6 more security violations. Functionality in
DB2 Connect is not affected that I can tell.



Why would DB2 Connect want the TRACE authority? Would it be a problem
(performance or otherwise) to simply deny these TRACE requests?



Regards,

Kevin

614-224-8204


CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System
intends this e-mail message, and any attachments, to be used only by the
person(s) or entity to which it is addressed. This message may contain
confidential and/or legally privileged information. If the reader is not
the intended recipient of this message or an employee or agent responsible
for delivering the message to the intended recipient, you are hereby
notified that you are prohibited from printing, copying, storing,
disseminating or distributing this communication. If you received this
communication in error, please delete it from your computer and notify the
sender by reply e-mail.

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm