Ownership of object

Mohamed Esmael

Ownership of object

Hello guys 

According to SOD Concept , how can i limit object owner can grant privileges to that object and limit  the SECADM to do that

Philip Sevetson

Ownership of object
(in response to Mohamed Esmael)
**please note my email address change**
M. Esmael:

I’m speaking, here, for Db2 on z/OS. I’m unaware of whether UDB or LUW or whatever they call it now works in the same way.


1) You cannot prevent a SYSADM from granting privileges anywhere.

2) You also cannot prevent an object owner (for tables) from granting privileges.
Try using a SYSADM account to revoke the authority, on the table, from the owner; the error message is instructive.

3) If the object owner/schema is a TSO ID, have your security administrator disable, or better yet cancel the ID.

4) If the owner is a “RACF Group” or “Secondary AuthID”, disconnect all UserIDs from the object owner ID.

5) Examine any security exits which may be coded for the subsystem and determine that they do not allow someone to provide such GRANTs. I’ve never heard of such a thing happening, but in theory it’s possible. You can do anything with an exit program.

6) Using 3 or 4 above, whichever is appropriate, will make it impossible for anyone but SYSADM and SECADM to grant privileges on the account.

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Monday, August 21, 2017 4:41 AM
To: [login to unmask email]
Subject: [DB2-L] - Ownership of object


Hello guys

According to SOD Concept , how can i limit object owner can grant privileges to that object and limit the SECADM to do that

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**
Attachments

  • image001.png (3.3k)

Mohamed Esmael

RE: Ownership of object
(in response to Philip Sevetson)

Thanks for your reply 

I think on SOD concept that i will prevent sysadm from Granting privileges when i enable separate security to be yes