DB2 RACF Security Issue

Irwin Deutsch

DB2 RACF Security Issue
Hi,

We have DB2 for z/OS V9 where an automation product is unauthorized to
issue a STOP DB2 command. The other two DB2 subsystems have no problem.
The RACF setup appears to be the same for all 3 systems. There's nothing
in MDSNSM (or GDSNSM) class and DSNADM class is same for all three
subsystems with three profiles called 'ssid.SYSADM' with identical access
lists. SYSIBM.SYSUSERAUTH has nothing in it.

I'm not familiar with DB2/RACF interface. Any ideas would be greatly
appreciated.


Thanks,

Irwin

______________________________________________________________________

* IDUG 2009 Denver, CO, USA * May 11-15, 2009 * http://IDUG.ORG/lsNA *
______________________________________________________________________



The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Dave Smith

Re: DB2 RACF Security Issue
(in response to Irwin Deutsch)
Greetings,

I had to grant SYSOPR to the automation product we have.

Dave

Hennepin County Central IT
Operations/Mainframe Services
[login to unmask email]



Irwin Deutsch <[login to unmask email]>
Sent by: DB2 Data Base Discussion List
<[login to unmask email]> To
[login to unmask email]
cc
12/17/2008 03:26 PM
Subject
[DB2-L] DB2 RACF Security Issue
Please respond to
DB2 Database Discussion list at IDUG
<[login to unmask email]>








Hi,

We have DB2 for z/OS V9 where an automation product is unauthorized to issue a STOP DB2 command. The other two DB2 subsystems have no problem. The
RACF setup appears to be the same for all 3 systems. There's nothing in MDSNSM (or GDSNSM) class and DSNADM class is same for all three subsystems
with three profiles called 'ssid.SYSADM' with identical access lists. SYSIBM.SYSUSERAUTH has nothing in it.

I'm not familiar with DB2/RACF interface. Any ideas would be greatly appreciated.


Thanks,

Irwin



IDUG 2009 - North America * May 11-15, 2009 * Denver, CO, USA


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG under the
Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference
information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services



Disclaimer: Information in this message or an attachment may be government data and thereby subject to the Minnesota Government Data Practices Act, Minnesota Statutes, Chapter 13, may be subject to attorney-client or work product privilege, may be confidential, privileged, proprietary, or otherwise protected, and the unauthorized review, copying, retransmission, or other use or disclosure of the information is strictly prohibited. If you are not the intended recipient of this message, please immediately notify the sender of the transmission error and then promptly delete this message from your computer system.

______________________________________________________________________

* IDUG 2009 Denver, CO, USA * May 11-15, 2009 * http://IDUG.ORG/lsNA *
______________________________________________________________________



The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms