Converting DB2 (V8/V9) to RACF

Gary Joehlin

Converting DB2 (V8/V9) to RACF
Hello again and Happy Holidays!


We are moving along in our implementation of RACF under DB2. We are also converting our subsystems from V8 to V9.

I’m still learning more of the idiosyncrasies of the conversion from DB2 to RACF security and know that I have many more to learn.

I found a passage in the IBM RACF Access Control Module Guide (SC18-9852-01) on page 44 regarding “Authorization checking for implicitly created databases” and was wondering if you implemented it and if you have any comments on it?

“DB2 allows access to an implicitly created database if the user has authorization to either DSNDB04 or the implicitly crated database. The RACF access control module differs from DB2 in that it checks only for authorization to DSNDB04, and does not check for authorization to the implicitly created database.”

The above passage leaves much to inference.

Does this passage mean that RACF would act the same way for allowing access to a DB irrespective of the origin of the name; meaning that it would have to be explicitly permitted? If so, how do you see the mechanics of that happening? Because, quoting from the manual, “On DB2 V8, if you create a table and do not specify a database name, DB2 creates the table in the default database, DSNDB04. With DB2 V9, DB2 creates a database for you with the name DSNxxxxx, where xxxxx is a zero-padded increasing integer, and creates the table space or table in that database. “

One solution may be to prohibit implicit DB names and force (non-DBA) to a specific database name. What do you see as the implications of that move?

Thank you again, for your time and best wishes for the New Year!


Gary Joehlin


_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* Your only source for independent, unbiased, and trusted DB2 information. *
** DB2 certification -> no additional charge
** Meet fellow DB2 users and leading DB2 consultants
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

Peter Suhner

Re: Converting DB2 (V8/V9) to RACF
(in response to Gary Joehlin)

Hi Gary,

actually, we have implemented the latter: To our
experience, the inadvertent creation of databases by not completely
qualifying a table in the DDL is something we do not allow. The major
reason for this is that we want to keep full control over existing
databases and therefore we prefer to limit such objects to be created in
DSNDB04.

There haven't been any negative implications on having a
system running with this limitation (it's always been there, right?)
and for our systems, we can't see any requirement to create implicit
databases. Maybe this is a useful feature for other types of workloads,
but they're of no relevance to our environment.

A variety of
approaches towards limiting implicit databases are available (like e.g.
limiting the maxvalue of the respective sequence to 1, etc.), and it's
easy to find them documented on the web. Hope this helps.


I
wish you also the very best for 2011 - good health, joy and success
during both - DB2 and non-DB2 hours of your life!

Best regards,
Peter

_______________________
Peter
Suhner
[login to unmask email]


Please consider
the environment instead of printing this message



Date: Wed, 29 Dec 2010 09:36:27 -0500
From: [login to unmask email]
Subject: [DB2-L] Converting DB2 (V8/V9) to RACF
To: [login to unmask email]



Hello again and Happy Holidays! We are moving along in our implementation of RACF under DB2. We are also converting our subsystems from V8 to V9. I’m still learning more of the idiosyncrasies of the conversion from DB2 to RACF security and know that I have many more to learn. I found a passage in the IBM RACF Access Control Module Guide (SC18-9852-01) on page 44 regarding “Authorization checking for implicitly created databases” and was wondering if you implemented it and if you have any comments on it? “DB2 allows access to an implicitly created database if the user has authorization to either DSNDB04 or the implicitly crated database. The RACF access control module differs from DB2 in that it checks only for authorization to DSNDB04, and does not check for authorization to the implicitly created database.” The above passage leaves much to inference. Does this passage mean that RACF would act the same way for allowing access to a DB irrespective of the origin of the name; meaning that it would have to be explicitly permitted? If so, how do you see the mechanics of that happening? Because, quoting from the manual, “On DB2 V8, if you create a table and do not specify a database name, DB2 creates the table in the default database, DSNDB04. With DB2 V9, DB2 creates a database for you with the name DSNxxxxx, where xxxxx is a zero-padded increasing integer, and creates the table space or table in that database. “ One solution may be to prohibit implicit DB names and force (non-DBA) to a specific database name. What do you see as the implications of that move? Thank you again, for your time and best wishes for the New Year! Gary Joehlin




The IDUG DB2-L Listserv is only part of your membership in IDUG. If you are not already an IDUG member, please register here.

_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* Your only source for independent, unbiased, and trusted DB2 information. *
** DB2 certification -> no additional charge
** Meet fellow DB2 users and leading DB2 consultants
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv

Jim Tonchick

Re: Converting DB2 (V8/V9) to RACF
(in response to Peter Suhner)

Hint: there's a REXX exec on the following IBM site http://www-03.ibm.com/systems/z/os/zos/features/racf/downloads/racfdb2r.html that uses SQL against the SYSIBM.*AUTH tables to build the matching RACF profiles. It is very literal and does a one-to-one conversion. I used it to compile the initial RACF requirements for a new subsystem that was designed to use RACF from the start. I edited it to allow for clean up of obsolete access and to create new RACF rules to follow the RACF group ids we already had and to create any new groupings that would fit the current environment and security recuirements.

Don't forget, this is a great time to review your DB2 security requirements and remove any access that might have been "grandfathered" during any previous company organizational (sales or acquitions) or security changes (Sarbaines/Oxley). For example, SYSADM privilage is now only allowed to the few ids in a single RACF group. We also created a controlled set of ids for use in the DSNZPARM module as install SYSADM. etc. These ids are closely monitored and are only used when required by DB2 subsystem level maintenance (PTFs or release upgrade) or for subsystem level recovery at our DR site.

Jim Tonchick

Unitrin Data Services


-----Original Message-----
From: Joehlin, Gary <[login to unmask email]>
To: DB2-L <[login to unmask email]>
Sent: Wed, Dec 29, 2010 8:37 am
Subject: [DB2-L] Converting DB2 (V8/V9) to RACF



Hello again and Happy Holidays!


We are moving along in our implementation of RACF under DB2. We are also converting our subsystems from V8 to V9.

I’m still learning more of the idiosyncrasies of the conversion from DB2 to RACF security and know that I have many more to learn.

I found a passage in the IBM RACF Access Control Module Guide (SC18-9852-01) on page 44 regarding “Authorization checking for implicitly created databases” and was wondering if you implemented it and if you have any comments on it?

“DB2 allows access to an implicitly created database if the user has authorization to either DSNDB04 or the implicitly crated database. The RACF access control module differs from DB2 in that it checks only for authorization to DSNDB04, and does not check for authorization to the implicitly created database.”

The above passage leaves much to inference.

Does this passage mean that RACF would act the same way for allowing access to a DB irrespective of the origin of the name; meaning that it would have to be explicitly permitted? If so, how do you see the mechanics of that happening? Because, quoting from the manual, “On DB2 V8, if you create a table and do not specify a database name, DB2 creates the table in the default database, DSNDB04. With DB2 V9, DB2 creates a database for you with the name DSNxxxxx, where xxxxx is a zero-padded increasing integer, and creates the table space or table in that database. “

One solution may be to prohibit implicit DB names and force (non-DBA) to a specific database name. What do you see as the implications of that move?

Thank you again, for your time and best wishes for the New Year!


Gary Joehlin




The IDUG DB2-L Listserv is only part of your membership in IDUG. If you are not already an IDUG member, please register here.


_____________________________________________________________________
* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* If you are going to attend only one conference this year, this is it! *
_____________________________________________________________________
http://www.IDUG.org/mentor
How can you expand your staff or do succession planning in this economy?
Mentoring is a proven, economical, way to train the next generation of DB2 Users!
_____________________________________________________________________

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv