We did this at my previous job.
The DBA team (actually, it was only me) would define all the RACF
profiles and permits, i.e. all the actual RACF commands, and would
then pass it on to the RACF security administrators for
implementation whenever there were new DB2 objects (databases,
tables, etc.). We used a lot of wildcarding so that cut down
tremendously on the amount of work needed once everything was set
up initially. All of our security for DB2 under RACF was done to
RACF groups specifically defined for DB2, so once the framework was
in place, all the RACF security administrators would typically have
to do was add or remove people from the appropriate DB2/RACF groups
set up for each application. We typically had a number of groups
set up for each application, for production versus test, business
users versus IT support staff, etc.
The most common “issue” would be when somebody came to
the RACF security administrators with a poorly written request
(“I need access to the so-and-so tables in
production”), and the security folks would then come to me to
decipher their request, which was basically just me telling them
“put them in this RACF group”.
Bottom line: assuming that it will be your RACF security
administrators now taking over responsibility for DB2 security:
give them some very high level training in DB2 with respect to the
kinds of objects that will be secured within RACF, and document the
security framework as best as you can, i.e. which RACF groups
provide what level of DB2 access to each application.
DB2 Database Administrator
State of Connecticut
Department of Children and Families
[login to unmask email]<mailto:[login to unmask email]>
From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Thursday, October 26, 2017 10:12 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: RACF/DB2 External security
thanks jorge for your reply
2- we know that Grant/ Revoke statements no more use on RACF , we
use permit , so is it way to prevent sysadm Execute Grant/Revoke
3- i want to ask people who implement RACF/DB2 External security ,
is any Advice that can help us ?
-----End Original Message-----