RACF/DB2 External security

Mohamed Esmael

RACF/DB2 External security

Hello guys 

we(RACF Team ) now implement RACF External security  over DB2 V.11 we face some issues as below 

1- how to limit installation sysadm to Execute security issues 

2- we know that Grant/ Revoke statements no more use on RACF , we use permit , so is it way to prevent sysadm       Execute Grant/Revoke statements 

3- i want to ask people who implement RACF/DB2 External security , is any Advice that can help us ?

 

Thanks in Advance 

Jorge Martelanz

RE: RACF/DB2 External security
(in response to Mohamed Esmael)

The way we manage install syadm is: 

  1. sysadm1 is assigned to a non-human userid, and the pwd is kept secure ("The envelope"), and only disclosed in case of emergency. (Real emergency) 
  2. sysadm2 is assigned to a RACF group. Normally no userid belongs to this group, only when a scheduled change requires the implementer to have installation sysadm authority, his or her used it is temporary connected to the group for the duration of the change. 

Hope this helps

Jorge Martelanz

Mohamed Esmael

RE: RACF/DB2 External security
(in response to Jorge Martelanz)

thanks jorge for your reply 

 

what about 

2- we know that Grant/ Revoke statements no more use on RACF , we use permit , so is it way to prevent sysadm       Execute Grant/Revoke statements 

3- i want to ask people who implement RACF/DB2 External security , is any Advice that can help us ?

Bill Gallagher

RACF/DB2 External security
(in response to Mohamed Esmael)
We did this at my previous job.

The DBA team (actually, it was only me) would define all the RACF profiles and permits, i.e. all the actual RACF commands, and would then pass it on to the RACF security administrators for implementation whenever there were new DB2 objects (databases, tables, etc.). We used a lot of wildcarding so that cut down tremendously on the amount of work needed once everything was set up initially. All of our security for DB2 under RACF was done to RACF groups specifically defined for DB2, so once the framework was in place, all the RACF security administrators would typically have to do was add or remove people from the appropriate DB2/RACF groups set up for each application. We typically had a number of groups set up for each application, for production versus test, business users versus IT support staff, etc.

The most common “issue” would be when somebody came to the RACF security administrators with a poorly written request (“I need access to the so-and-so tables in production”), and the security folks would then come to me to decipher their request, which was basically just me telling them “put them in this RACF group”.

Bottom line: assuming that it will be your RACF security administrators now taking over responsibility for DB2 security: give them some very high level training in DB2 with respect to the kinds of objects that will be secured within RACF, and document the security framework as best as you can, i.e. which RACF groups provide what level of DB2 access to each application.

Bill Gallagher
DB2 Database Administrator
State of Connecticut
Department of Children and Families
Office: 860-263-1389
[login to unmask email]<mailto:[login to unmask email]>


From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Thursday, October 26, 2017 10:12 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: RACF/DB2 External security


thanks jorge for your reply



what about

2- we know that Grant/ Revoke statements no more use on RACF , we use permit , so is it way to prevent sysadm Execute Grant/Revoke statements

3- i want to ask people who implement RACF/DB2 External security , is any Advice that can help us ?

-----End Original Message-----

Mohamed Esmael

RE: RACF/DB2 External security
(in response to Bill Gallagher)

Dear Bill,

first, Thanks for sharing your experience with me , i think that DB2 team have little experience with RACF classes and Profiles so RACF security team will do define classes and profiles with coordination with DB2 Team

Second, i tried to search for Bind agent problem under RACF external security as it's still special consideration under RACF

Third, is any way to prevent SYSADM not run DB2 default exit routine to revert to DB2 internal security / or any access any member related to security

Bill Gallagher

RACF/DB2 External security
(in response to Mohamed Esmael)
Mohamed,

I’m not sure if I fully understand your question about preventing SYSADM not running the exit, or reverting to DB2 internal security.

If you are asking if there’s a way for SYSADM to selectively or intentionally bypass RACF security and go with native security, the answer would be no (assuming that the security is defined correctly).

The way RACF security for DB2 works is that the exit will look for a RACF profile that covers the resource (i.e. DB2 object) being checked. Only if there is no profile (either specific or generic) found that covers the resource being checked will RACF defer the authorization request back to DB2 for “native” DB2 checking. For that reason, it is a good idea to define a set of generic profiles for all DB2/RACF classes that will issue a “deny” for the request should no other more specific profile be found for the resource in question. This essentially prohibits ANY authorization checking going back to native DB2.

Bill Gallagher
DB2 Database Administrator
State of Connecticut
Department of Children and Families
Office: 860-263-1389
[login to unmask email]<mailto:[login to unmask email]>


From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Monday, October 30, 2017 6:37 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: RACF/DB2 External security


Dear Bill,

first, Thanks for sharing your experience with me , i think that DB2 team have little experience with RACF classes and Profiles so RACF security team will do define classes and profiles with coordination with DB2 Team

Second, i tried to search for Bind agent problem under RACF external security as it's still special consideration under RACF

Third, is any way to prevent SYSADM not run DB2 default exit routine to revert to DB2 internal security / or any access any member related to security

-----End Original Message-----

Mohamed Esmael

RE: RACF/DB2 External security
(in response to Bill Gallagher)

Thanks Again for reply 

I would like to define what i mean , for example DSNTIJUZ member contains ZPARM  that related to system and security configuration and for example for that configuration is SYSADM1 field & SYSADM2 field so my question how to limit SYSADM to change that  configuration 

David Baldon

RACF/DB2 External security
(in response to Mohamed Esmael)
You have to use your security package to protect the load libraries that DB2 looks in for the ZPARM data only load module. Changing the content of the ZPARM member won’t affect DB2 unless the user can get the ZPARM load module into the “proper” load library which usually blah.DSNEXIT.

...David

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Monday, October 30, 2017 8:12 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: RACF/DB2 External security


Thanks Again for reply

I would like to define what i mean , for example DSNTIJUZ member contains ZPARM that related to system and security configuration and for example for that configuration is SYSADM1 field & SYSADM2 field so my question how to limit SYSADM to change that configuration

-----End Original Message-----

Bill Gallagher

RACF/DB2 External security
(in response to Mohamed Esmael)
ZPARMs are outside the scope of what DB2/RACF external security covers, so I don’t think I can answer that question.

It seems that’s more of a change control/governance question, i.e. who is allowed to change ZPARMs and what is the change process that governs approval and implementation of ZPARM changes.

Bill Gallagher
DB2 Database Administrator
State of Connecticut
Department of Children and Families
Office: 860-263-1389
[login to unmask email]<mailto:[login to unmask email]>


From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Monday, October 30, 2017 9:12 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: RACF/DB2 External security


Thanks Again for reply

I would like to define what i mean , for example DSNTIJUZ member contains ZPARM that related to system and security configuration and for example for that configuration is SYSADM1 field & SYSADM2 field so my question how to limit SYSADM to change that configuration

-----End Original Message-----

Mohamed Esmael

RE: RACF/DB2 External security
(in response to Bill Gallagher)

Dear Bill

 I would like to share the definition of SYSADM1 field with you  from IBM Manuals 

https://www.ibm.com/support/knowledgecenter/SSEPEK_11.0.0/inst/src/tpc/db2z_ipf_sysadm.html

Mohamed Esmael

RE: RACF/DB2 External security
(in response to Jorge Martelanz)

Dear Jorge 

As i know the Default user for SYSADM1 field  is SYSADM 

for SYSADM2 field , it can be user id as i see on  IBM Manual and you mentioned that it can also be RACF group , is any setting i must do to enable that field to accept RACf group 

Thanks in advance