Managing Security on DB2 on Z/os platform

Mohamed Esmael

Managing Security on DB2 on Z/os platform

Our duty now on DB2 Team is to make separation of duties after we research we found that we have two scenarios

1- through DB2 when i make separte security paramter to yes
2- Through RACF

the Question is which is better also if if we choose the first scenario can i have more that one SECADM as i read that we can i have SECADM1 & SECADM2

Hint we use DB2 V.10

Javier Estrada Benavides

RE: Managing Security on DB2 on Z/os platform
(in response to Mohamed Esmael)

Hello:

  I think the shortest answer is.... "depends on how you're organized at your shop".

  In here we use the native DB2 option, and we don't use a separate group for security (so that means we don't separate SECADM from SYSADM), and we didn't like the option or handling security with RACF. Personally I don't have any issues with any option, but the real problem was in the team:

Let's say, for example, that you have the idea of setting up trusted contexts and you'll revoke any individual privileges to remote applications users, so that means a complete reorganization of the security environment, policies, and even internal paperwork. The problem is... who's going to do what? If you're working with RACF, they will, at some point, require to hire a DB2 guy because chances are they only know RACF for traditional z/OS security, and same thing would happen if you assign SECADM to non DB2 people.

I've also seen that the DB2 guy from RACF will quit shortly because, well... he's a DB2 guy after all. That's just an example of what I've seen over time.

I like the three options BTW, but they all require a very very very detailed planned organization.

Hope that helps,

Regards

 

Javier Estrada

Certified DB2 11 for z/OS System Administrator. Mexico

Mohamed Esmael

RE: Managing Security on DB2 on Z/os platform
(in response to Javier Estrada Benavides)

First 

Thanks alot javier for your help and for your opinion

Second

in our shop , the both solution are possible as we have two teams DB2 & RACF , i want to know the concerns of each one , also you say i can  implement third solution between them how can i do that 

Thanks in advance 

 

 

Javier Estrada Benavides

RE: Managing Security on DB2 on Z/os platform
(in response to Mohamed Esmael)

Hi:

  Actually what I meant with the third option is to use separate security NO and handling security with SYSADM users, but if the DB2 team will have separate users or people only to handle security, then using SECADM is a better option as long as they're DB2 guys as well, that way security projects are handled by the people who know DB2.

  I like, however, that the RACF guys can use other tools to have a better visual of the privileges (in here some "new RACF" guys use graphical LDAP clients to manage RACF profiles by setting up the interface with the ITDS (LDAP) server), but with a very structured organization you can just use CA RC/Secure when it's non-RACF DB2 security.

The bottom line is, they're all great choices and not so hard to implement, but when it comes to implement new security strategies after all that it could come hard (In my previous example, setting up trusted contexts to assign roles and approve specific IP address sounds entirely as a security project, but the RACF guys would never know about this and instead it would be a DB2 SysProg proposing it, and also doing all the research and work, see the point? That's a real life example that we had in here).

 

Regards,

Javier Estrada

Certified DB2 11 for z/OS System Administrator. Mexico

Mohamed Esmael

RE: Managing Security on DB2 on Z/os platform
(in response to Javier Estrada Benavides)

Again, Thanks alot for your support and we will try to implement security through RACF as we see some advantages over DB2 Security 

Mohamed Esmael

RE: Managing Security on DB2 on Z/os platform
(in response to Mohamed Esmael)

Dear Javier 

  sorry for disturbance , i want to ask you if can i make Mix between the two ways to handle security on DB2 , is that available or not ? 

 

Thanks in advance 

Javier Estrada Benavides

RE: Managing Security on DB2 on Z/os platform
(in response to Mohamed Esmael)

Hi:

  Now you're getting into the gray zone. In my opinion, t depends on how you want to handle it and what kind of security you want to offer, so it requires a detailed "list of services", well, more like a security strategy to see how it can be implemented, for example...

The standard way is to handle DB2 internally (SECADM or not, they're DB2), but that does not mean that the RACF group is not involved because they still have to take care of the DSNR class, and of course, to handle the security on the dataset level, so, strictly speaking, that already is a mixed way, but it has to be detailed in how you want to implement projects (here's another example, you can limit access to DB2 from remote applications by using RACF or internally via DB2 and get the same effect). So.... if you want a technical view, it requires to detail what the security strategy will be and how it can be best implemented to go full RACF, full DB2, or standard and go from there, that's why it's the gray zone, and the worst part is that most of the time it requires to plan very far ahead.

Hope that helps,

Btw, I'm not sure if my email shows in my profile if you look at it, but you can always reach me there.

 

Regards,

Javier Estrada Benavides,

Certified DB2 11 for z/OS System Administrator. Mexico

Mohamed Esmael

RE: Managing Security on DB2 on Z/os platform
(in response to Javier Estrada Benavides)

First 

Thanks again for your kindly support on that issue 

and  what let me think about combination between two ways that if i use DB internal security (SECADM) , the SYSADM and installation SYSADM can also handle security issue which is Grant or revoke or create security objects and I think i can limit that by using RACF or combination but as you say it consumes time and effort