Grant Privileges

Mohamed Esmael

Grant Privileges

Hello 

Can object owner able to grant or revoke privileges on objects he owns ?

Steen Rasmussen

Grant Privileges
(in response to Mohamed Esmael)
If your user-id is ABC and you create table ABC.table1, ABC is the owner and can grant privileges on that table – at least until someone execute TRANSFER OWNERSHIP or do a REVOKE WITH PRIVILEGES. If the user ABC is SYSADM or some of the other powerful ones, then a new set of rules can get into play.

Steen

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Sunday, August 06, 2017 1:54 AM
To: [login to unmask email]
Subject: [DB2-L] - Grant Privileges

CAUTION: This email originated from outside of CA. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hello

Can object owner able to grant or revoke privileges on objects he owns ?

-----End Original Message-----

Mohamed Esmael

RE: Grant Privileges
(in response to Steen Rasmussen)

Thanks 

Mohamed Esmael

RE: Grant Privileges
(in response to Steen Rasmussen)

can i limit object owner can grant privileges to that object and limit  the SECADM to do that if  i want to make SOD 

Philip Sevetson

Grant Privileges
(in response to Mohamed Esmael)
**please note my email address change**
I can’t parse that, and you need to read this:

https://www.ibm.com/support/knowledgecenter/en/SSEPEK_11.0.0/seca/src/tpc/db2z_secadmauthority.html

It looks like you can’t protect table contents from SYSADM IDs under any circumstances. Other IDs will have only the privileges which you GRANT to them.

Finally: SOD is a TLA (Three Letter Acronym). Would you please tell us what it represents? You’ve used it twice and I haven’t seen a definition. It’s not obvious to me, at least.

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Tuesday, August 22, 2017 2:15 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: Grant Privileges


can i limit object owner can grant privileges to that object and limit the SECADM to do that if i want to make SOD

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**
Attachments

  • image001.png (3.3k)

Mohamed Esmael

RE: Grant Privileges
(in response to Philip Sevetson)

Sorry for disturbing you 

What i mean by SOD is separation of duties 

I want to clear to you i understand the role of SECADM so after i Enable separate security to yes , SECADM will perform Grant and REVOKE authority on objects  but if SYSADM was creator of that objects Then SYSADM will also be able to Grant and REVOKE authority

My Question is to how to limit SYSADM from doing that ? 

Philip Sevetson

Grant Privileges
(in response to Mohamed Esmael)
**please note my email address change**
As I noted earlier, you cannot prevent a SYSADM from granting authority.

IF your SYSADM ID is also the owner of the schema, you need to change that or make the ID not reachable:

1) Get rid of the SYSADM authority, without losing the privileges which the ID has already granted to others:

a. Make the SYSADM an *Install SYSADM* and then revoke SYSADM from it, or

b. Get a list of all of the authorizations where GRANTOR=(Sysadm ID) and grant them from some other ID, *then* revoke SYSADM from the ID.

2) Make the SYSADM ID not reachable by protecting it in RACF/ACF2/TOP SECRET, as previously discussed.

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Tuesday, August 22, 2017 9:14 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: Grant Privileges


Sorry for disturbing you

What i mean by SOD is separation of duties

I want to clear to you i understand the role of SECADM so after i Enable separate security to yes , SECADM will perform Grant and REVOKE authority on objects but if SYSADM was creator of that objects Then SYSADM will also be able to Grant and REVOKE authority

My Question is to how to limit SYSADM from doing that ?

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**
Attachments

  • image001.png (3.3k)

Mohamed Esmael

RE: Grant Privileges
(in response to Philip Sevetson)

Thanks for reply

I have couple of questions

1- why i cannot prevent a SYSADM from granting authority? (you mean as he is object owner or what )

2- how Make the SYSADM ID not reachable? (you mean can IUse external security like RACF)

Philip Sevetson

Grant Privileges
(in response to Mohamed Esmael)
**please note my email address change**

1) You can REVOKE SYSADM from a userID which has the SYSADM privilege. However, if you do not REVOKE SYSADM, then the userID remains all-powerful. SYSADM authority is hard coded in the DBMS. It can’t be restricted. You either have it or you don’t.

2) Yes, the way to make a SYSADM ID “not reachable” is to disable or cancel the related TSO ID if there is one, and/or to disconnect all IDs from it (if it is a RACF Group ID or an ACF2 Secondary AuthID)

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Tuesday, August 22, 2017 10:00 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: Grant Privileges


Thanks for reply

I have couple of questions

1- why i cannot prevent a SYSADM from granting authority? (you mean as he is object owner or what )

2- how Make the SYSADM ID not reachable? (you mean can IUse external security like RACF)

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**
Attachments

  • image001.png (3.3k)

Mohamed Esmael

RE: Grant Privileges
(in response to Philip Sevetson)

So what about Customization SYSADM through Roles and Trusted Context according  to https://www.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/seca/src/tpc/db2z_migratesysadm.html

Philip Sevetson

Grant Privileges
(in response to Mohamed Esmael)
**please note my email address change**
What about it? You can, according to the article, grant the privileges you need to do most operations, to the IDs which need the authority. Then you don’t have to grant SYSADM to do those things. That doesn’t change the SYSADM, it allows you to use other high-level privilege sets (DBADM, SECADM, etc) to do the needed things.

If you want to do that, by all means do that – it is likely to meet your needs for Separation of Duties, and will reduce the need to give out SYSADM. However, if you’re thinking that this will “Change” the SYSADM privilege, please note that that article does not suggest such a thing.

You need to use other authorizations to do your work, in order to achieve Separation of Duties. You can’t change SYSADM, so don’t grant it to anyone who needs separated duties.

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Tuesday, August 22, 2017 10:23 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: Grant Privileges


So what about Customization SYSADM through Roles and Trusted Context according to https://www.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/seca/src/tpc/db2z_migratesysadm.html

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**
Attachments

  • image001.png (3.3k)