Who can issue GRANTs?

Roy Reynolds

Who can issue GRANTs?
I am working with a site to evaluate their DB2 practices. In the 80s the
apps were VSAM. In the early 90s they moved to DB2 but they had no one
trained as either a systems or application DBA. So there were a lot of RTFM
and 'best guess' outcomes.
One application manager has always had auth to issue all the necessary
GRANTs for Dev, QA, and Prod. This manager can also define databases,
tablespaces, tables, indexes, and views, and can modify data in all
environments.

I've proposed migrating the site from DB2 auths to DB2/RACF auths. This
application manager insists on having the auth to define RDEFs and PErmits
for the DB2/RACF classes.

Question: Do any of you have a situation like this where you have
application managers defining DB2 authorizations? Does it work for you?
Thanks,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L

Jeff Frazier

Re: Who can issue GRANTs?
(in response to Max Scarpa)
No,I would think Auditors would frown upon that. The other red flag would
be 'can modify data in all
environments'. It sounds like this person has SYSADM.
Jeff



Roy Reynolds <[login to unmask email]>
Sent by: IDUG DB2-L <[login to unmask email]>
01/12/2010 11:10 AM
Please respond to
IDUG DB2-L <[login to unmask email]>


To
[login to unmask email]
cc

Subject
[DB2-L] Who can issue GRANTs?






I am working with a site to evaluate their DB2 practices. In the 80s the
apps were VSAM. In the early 90s they moved to DB2 but they had no one
trained as either a systems or application DBA. So there were a lot of
RTFM
and 'best guess' outcomes.
One application manager has always had auth to issue all the necessary
GRANTs for Dev, QA, and Prod. This manager can also define databases,
tablespaces, tables, indexes, and views, and can modify data in all
environments.

I've proposed migrating the site from DB2 auths to DB2/RACF auths. This
application manager insists on having the auth to define RDEFs and PErmits
for the DB2/RACF classes.

Question: Do any of you have a situation like this where you have
application managers defining DB2 authorizations? Does it work for you?
Thanks,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 *
http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is
the home of IDUG's DB2-L


<span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L

Max Scarpa

Re: Who can issue GRANTs?
(in response to Roy Reynolds)
I see this situation in the past. IMHO no application manager should have
RACF permits. Move her/him to security group and the problem's solved :-)

Max Scarpa

DB2 for Commodore 64 sysprog

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L

Roger Hecq

Re: Who can issue GRANTs?
(in response to Jeff Frazier)
By application manager do you mean the manager who is the business owner
of the data or an application development manager? My experience has
consistently been that the business owner requested / authorized the
grants and that either the DBAs (DB2 security) or the RACF security
group implemented the necessary rules for the business owner. This is a
fairly basic audit requirement.

Roger Hecq
MF IB USA DB Support
203-719-0492 / 19-337-0492

-----Original Message-----
From: IDUG DB2-L [mailto:[login to unmask email] On Behalf Of Roy Reynolds
Sent: Tuesday, January 12, 2010 11:09 AM
To: [login to unmask email]
Subject: [DB2-L] Who can issue GRANTs?

I am working with a site to evaluate their DB2 practices. In the 80s
the apps were VSAM. In the early 90s they moved to DB2 but they had no
one trained as either a systems or application DBA. So there were a lot
of RTFM and 'best guess' outcomes.
One application manager has always had auth to issue all the necessary
GRANTs for Dev, QA, and Prod. This manager can also define databases,
tablespaces, tables, indexes, and views, and can modify data in all
environments.

I've proposed migrating the site from DB2 auths to DB2/RACF auths. This
application manager insists on having the auth to define RDEFs and
PErmits for the DB2/RACF classes.

Question: Do any of you have a situation like this where you have
application managers defining DB2 authorizations? Does it work for you?
Thanks,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 *
http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our
website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L
is the home of IDUG's DB2-L
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.


UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L

Cathy Taddei

Re: Who can issue GRANTs?
(in response to Roger Hecq)
Hi Roy. We still do our security in DB2, but we grant only to secondary authids, and have things about as granular as we need them: One authid for read-only for appl A, another for update for appl A, another for read-only for appl B, etc. The DBA's actually perform the grants, but it's pretty clear what table belongs to which application and what level of authority is required, so there's not much decision making there. The real decision is who to connect to which secondary authid. That is controlled in our external security package (Top Secret) and those updates are only made by the security group. HOWEVER, they only make updates per the instructions of the data owner, and the data owner is typically a business person and not in IT, although there are some cases where we have an IT data owner. It sounds like your application manager might correspond to one of our data owners. The difference is division of responsibility -- I can see an application manager maybe having authority over test or dev, but NOT production. For Sarbanes-Oxley, we had to demonstrate division of responsibility in our security definitions -- I think that would be hard to do with a God amongst you.

Regards,
Cathy

-----Original Message-----
From: IDUG DB2-L [mailto:[login to unmask email] On Behalf Of Roy Reynolds
Sent: Tuesday, January 12, 2010 8:09 AM
To: [login to unmask email]
Subject: [DB2-L] Who can issue GRANTs?

I am working with a site to evaluate their DB2 practices. In the 80s the
apps were VSAM. In the early 90s they moved to DB2 but they had no one
trained as either a systems or application DBA. So there were a lot of RTFM
and 'best guess' outcomes.
One application manager has always had auth to issue all the necessary
GRANTs for Dev, QA, and Prod. This manager can also define databases,
tablespaces, tables, indexes, and views, and can modify data in all
environments.

I've proposed migrating the site from DB2 auths to DB2/RACF auths. This
application manager insists on having the auth to define RDEFs and PErmits
for the DB2/RACF classes.

Question: Do any of you have a situation like this where you have
application managers defining DB2 authorizations? Does it work for you?
Thanks,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L


------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

======

Roy Reynolds

Re: Who can issue GRANTs?
(in response to Cathy Taddei)
Hi Roger,
By application manager, I mean Application Development Manager, not
Application Data Owner.
I really appreciate the contributions all are making to this topic.
Regards,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L

Roger Hecq

Re: Who can issue GRANTs?
(in response to Roy Reynolds)
The application development manager should not have any security admin
authority on the production DB. That is a major exposure and I am
amazed the the auditors have not gotten on that. Access to production
data should be owned by the business owner of the data and administered
by the security dept or the DBAs.

Roger Hecq
MF IB USA DB Support
203-719-0492 / 19-337-0492

-----Original Message-----
From: IDUG DB2-L [mailto:[login to unmask email] On Behalf Of Roy Reynolds
Sent: Tuesday, January 12, 2010 5:10 PM
To: [login to unmask email]
Subject: Re: [DB2-L] Who can issue GRANTs?

Hi Roger,
By application manager, I mean Application Development Manager, not
Application Data Owner.
I really appreciate the contributions all are making to this topic.
Regards,
Roy

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 *
http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/db2-videos.html has hundreds of video presentations!
Did you miss out on attending an IDUG conference?
Many of the presentations were recorded and are available on our
website!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L
is the home of IDUG's DB2-L
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mails are not encrypted and cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities
or related financial instruments.


UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.

_____________________________________________________________________

* IDUG North America * Tampa, Florida, * May 10-14 2010 * http://IDUG.ORG/NA *
_____________________________________________________________________

http://www.idug.org/events/index.html is your DB2 Events calendar! RUG meetings,
Webcasts, Conferences- what is going on next?
RUG leaders- get your events on the calendar today!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's DB2-L