SYSADM Authority

Mohamed Esmael

SYSADM Authority

Dear All

we (RACF Group)  Apply DB2 internal security from one week ago i face some issues regards SYSADM Authority 

1- how to limit SYSDM authority to change on DSNZPARM 

2- how to view parameters on DSNZPARM that DB2 system run with it 

3-  According to separate of duties concept and also according to that approach sysadm authority can now handle       system privileges  only without SECADM authority or system DBADM authority , also is it possible to see catalog tables or what  

Javier Estrada Benavides

RE: SYSADM Authority
(in response to Mohamed Esmael)

Hi:

  If you want to limit what a sysadm can or can't do, it depends on whether you're talking about installation sysadm or sysadm by grant, you might want to think about setting up trusted contexts to assign sysadm role under specific circumstances (that's just an idea, or if you want to be more strict, you as the RACF people have the option to deny alter access authority to SDSNEXIT library and allow it only to a special user, there are a few more options and it doesn't have to be a DB2-only approach).


  As for displaying the Db2 zparms, there's a proc called ADMIN_INFO_SYSPARM and also a sample job that invokes it called DSNTEJ6Z and it's located in your NEW.SDSNSAMP library, and it will show you the current zparms that are in effect.

  And finally, about accesing catalog tables, I'm afraid I don't quite get your point so I can't help with that one. 

 

 Hope that helps a bit :)

Regards,

Javier Estrada Benavides

Certified DB2 for z/OS System Admin, Mexico.

Mohamed Esmael

RE: SYSADM Authority
(in response to Javier Estrada Benavides)

hey 

i am asking for Both installation sysadm and sysadm

note:- i know installation sysadm still can do everything after i enable db2 internal security

about accessing catalog tables , i  mean can sysadm still access catalog tables like select , insert and delete after enable db2 internal security   

 

Thanks 

Javier Estrada Benavides

RE: SYSADM Authority
(in response to Mohamed Esmael)

Uh, that's a question that deals with your internal organization, the first thing I would say is "which catalog tables do you wish to restrict and why?" and then go from there. It's something that you would have to internally debate on.

 

Why is that? It's because the DBA can easily say "I need access to the RTS tables to set up maintenance jcls for my databases, I need access to SYSTABLES, SYSINDEXES, SYSPACKAGE, etc etc to manage DDLs and collections (or whatever)" or "I need x table for y reason to do z task that is assigned to my department", the sysadm would tell you something very similar, the app support would say another version and so on. In short, if you want to entirely restrict the catalog you're going to deal with the implications of blocking duties from other deparments.

Regards,

Javier Estrada Benavides

Certified DB2 for z/OS System Admin, Mexico.

Mohamed Esmael

RE: SYSADM Authority
(in response to Javier Estrada Benavides)

Also 

 i want to asking about parameters that sysadm want to access on DSNZPARM and if we want to change parameters on ZPARM