How can I flush/clear the DB2 security cache?

Binyamin Dissen

How can I flush/clear the DB2 security cache?
Is there a command that clears/flushes the DB2 security cache, so that it
needs to reread the information? Not seeing the obvious command.

--
Binyamin Dissen <[login to unmask email]>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

Meir Zohar

How can I flush/clear the DB2 security cache?
(in response to Binyamin Dissen)
As with so many things in DB2 - it depends

If you're using DB2 security - DB2 will automatically flush the cache when
you revoke an authority.

If you're using an external security mechanism (i.e. RACF), a REVOKE will
eventually get to the cache (however you can GRANT/REVOKE the equivalent and
DB2 will process a request again the next time you attempt to access the
object).

If you're on DB2 V11 or upward and the AUTHEXIT_CACHEREFRESH system
parameter is set to ALL, DB2 listens to type 62, type 71, and type 79 ENF
signals from RACF® for any user profile or resource access changes. If DB2
receives ENF 62, 71, and 79 signals, it refreshes the cache entries of the
package authorization, the routine authorization, the DDF user
authentication, and the dynamic statement.


Meir Zohar, CISSP
dbX Consulting Services
IBM Gold Consultant
IBM Champion for Analytics
IBM Certified Database Administrator DB2 for z/OS
IBM Certified Database Administrator DB2 for LUW
IBM Certified Specialist - PureData System for Analytics
Israel DB2 RUG
IDUG GMC & EMEA 2017 CPC

Tel: +972 3 5747860
Fsx: +972 3 5747864
Mob: +972 54 5747350
Email: [login to unmask email] – [login to unmask email]

-----הודעה מקורית-----
מאת: Binyamin Dissen [mailto:[login to unmask email]
נשלח: Tuesday, August 15, 2017 12:07 PM
אל: [login to unmask email]
נושא: [DB2-L] - How can I flush/clear the DB2 security cache?

Is there a command that clears/flushes the DB2 security cache, so that it
needs to reread the information? Not seeing the obvious command.

--
Binyamin Dissen <[login to unmask email]> http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me, you
should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems, especially
those from irresponsible companies.

-----End Original Message-----


Binyamin Dissen

How can I flush/clear the DB2 security cache?
(in response to Meir Zohar)
Thank you for your response.

In the case of native security, is that a revoke from any arbitrary user? For
example, doing a GRANT and REVOKE to QWERT will flush all cached security info
for all users?

On Tue, 15 Aug 2017 12:29:54 +0300 Meir Zohar <[login to unmask email]> wrote:

:>As with so many things in DB2 - it depends
:>
:>If you're using DB2 security - DB2 will automatically flush the cache when
:>you revoke an authority.
:>
:>If you're using an external security mechanism (i.e. RACF), a REVOKE will
:>eventually get to the cache (however you can GRANT/REVOKE the equivalent and
:>DB2 will process a request again the next time you attempt to access the
:>object).
:>
:>If you're on DB2 V11 or upward and the AUTHEXIT_CACHEREFRESH system
:>parameter is set to ALL, DB2 listens to type 62, type 71, and type 79 ENF
:>signals from RACF® for any user profile or resource access changes. If DB2
:>receives ENF 62, 71, and 79 signals, it refreshes the cache entries of the
:>package authorization, the routine authorization, the DDF user
:>authentication, and the dynamic statement.
:>
:>
:>Meir Zohar, CISSP
:>dbX Consulting Services
:>IBM Gold Consultant
:>IBM Champion for Analytics
:>IBM Certified Database Administrator DB2 for z/OS
:>IBM Certified Database Administrator DB2 for LUW
:>IBM Certified Specialist - PureData System for Analytics
:>Israel DB2 RUG
:>IDUG GMC & EMEA 2017 CPC
:>
:>Tel: +972 3 5747860
:>Fsx: +972 3 5747864
:>Mob: +972 54 5747350
:>Email: [login to unmask email] – [login to unmask email]
:>
:>-----הודעה מקורית-----
:>מאת: Binyamin Dissen [mailto:[login to unmask email]
:>נשלח: Tuesday, August 15, 2017 12:07 PM
:>אל: [login to unmask email]
:>נושא: [DB2-L] - How can I flush/clear the DB2 security cache?
:>
:>Is there a command that clears/flushes the DB2 security cache, so that it
:>needs to reread the information? Not seeing the obvious command.

--
Binyamin Dissen <[login to unmask email]>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.