QMF Q.PROFILES and RACF

Deepak Gujaba Gaikwad

QMF Q.PROFILES and RACF
Hello All,
We have enabled RACF security exit for DB2 v7.1. For QMF, we created RACF profiles for QMF tables and Plan access as per entries in QMF Tables.

All these years, we have been using the QMF interface with only SELECT access to Q.PROFILES. But after we converted to RACF, we are getting access violations for resource DB2.Q.PROFILES.INSERT/DELETE/UPDATE etc.

I looked in SDSQSAPE library; there's no job to GRANT the above access on Q.PROFILES. And all these days, it has been working okay without these access.
Is there anything specific do we need to do for QMF to use RACF security ? All QMF packages are bound with VALIDATE(BIND) DYMANICRULES(RUN).

Please help if anybody using QMF along with RACF security. Thanks for all your help.

Thanks & Regards,
Deepak Gujaba Gaikwad




---------------------------------
Yahoo! Photos
Got holiday prints? See all the ways to get quality prints in your hands ASAP.

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

David S. Waugh

Re: QMF Q.PROFILES and RACF
(in response to Deepak Gujaba Gaikwad)
Deepak:

The following QMF plans have Delete, Insert, Update and Select
authorization to Q.PROFILES:
DSQAICVS
DSQAUPRF
DSQDICVS
DSQDUPRF
DSQ8ICVS
DSQ8UPRF
DSQ9ICVS
DSQ9UPRF

So while it may be true that all these years you've only granted Select
authority to Q.PROFILES to your QMF users (or to PUBLIC), when a QMF user
changes something in their profile and saves it, one of the above plans is
the one which does the work of inserting or updating or deleting a row in
Q.PROFILES (don't know which one offhand, sorry). The individual QMF user
doesn't need Insert, Update or Delete authority against Q.PROFILES, all
they need is EXECUTE authority to the plan that does the SAVE DATA work
(and that program is written in such a way that they can only change their
profile, not anyone else's).

The only time the grant of SELECT to the QMF userids (or to PUBLIC) comes
into play is when they might do a SELECT * FROM Q.PROFILES. You really
don't want them updating their (or anyone else's) profile row outside of
the QMF SAVE PROFILE or RESET PROFILE commands, and having only SELECT
granted to their userids keeps them from doing that.

I'm not familiar enough with RACF/DB2 to be able to tell you exactly what
you need to do to fix this, but it seems you're missing something when it
comes to setting up the DSQxxxxx Plan authorities to Q.PROFILES in RACF.
.
Thanks,
.
David Waugh
IM-3 DB2 Database Administration
Los Alamos National Laboratory
(505) 606-0944 LANL Office Phone
(505) 665-0218 LANL Fax
(775) 315-0225 Cell Phone



Deepak Gujaba Gaikwad <[login to unmask email]>
Sent by: DB2 Data Base Discussion List <[login to unmask email]>
01/16/2006 05:15 AM
Please respond to
DB2 Database Discussion list at IDUG <[login to unmask email]>


To
[login to unmask email]
cc

Subject
[DB2-L] QMF Q.PROFILES and RACF






Hello All,
We have enabled RACF security exit for DB2 v7.1. For QMF, we created RACF
profiles for QMF tables and Plan access as per entries in QMF Tables.

All these years, we have been using the QMF interface with only SELECT
access to Q.PROFILES. But after we converted to RACF, we are getting
access violations for resource DB2.Q.PROFILES.INSERT/DELETE/UPDATE etc.

I looked in SDSQSAPE library; there's no job to GRANT the above access on
Q.PROFILES. And all these days, it has been working okay without these
access.
Is there anything specific do we need to do for QMF to use RACF security ?
All QMF packages are bound with VALIDATE(BIND) DYMANICRULES(RUN).

Please help if anybody using QMF along with RACF security. Thanks for all
your help.

Thanks & Regards,
Deepak Gujaba Gaikwad


Yahoo! Photos
Got holiday prints? See all the ways to get quality prints in your hands
ASAP.
---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". The IDUG DB2-L FAQ is at
http://www.idugdb2-l.org. The IDUG List Admins can be reached at
[login to unmask email] Find out the latest on IDUG conferences
at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm