BMC FastUnload - ImageCopy - Auth Question

Rob Stein

BMC FastUnload - ImageCopy - Auth Question
Anyone know if you can unload from an imagecopy using BMC Unload+ WITHOUT needing select auth on the table??

Philip Sevetson

BMC FastUnload - ImageCopy - Auth Question
(in response to Rob Stein)
Rob, I certainly _hope_ not. That would violate the security paradigm. Why not just have your friendly neighborhood DBADM or SYSADM run the job?

________________________________
From: Rob Stein [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 11:26 AM
To: [login to unmask email]
Subject: [DB2-L] - BMC FastUnload - ImageCopy - Auth Question

Anyone know if you can unload from an imagecopy using BMC Unload+ WITHOUT needing select auth on the table??

-----End Original Message-----

steen rasmussen

BMC FastUnload - ImageCopy - Auth Question
(in response to Rob Stein)
Just a minor correction: FastUnload is from CA while BMC's is named Unload Plus

Steen Rasmussen

From: Sevetson, Phil [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 1:03 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

Rob, I certainly _hope_ not. That would violate the security paradigm. Why not just have your friendly neighborhood DBADM or SYSADM run the job?

________________________________
From: Rob Stein [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 11:26 AM
To: [login to unmask email]
Subject: [DB2-L] - BMC FastUnload - ImageCopy - Auth Question

Anyone know if you can unload from an imagecopy using BMC Unload+ WITHOUT needing select auth on the table??

-----End Original Message-----

-----End Original Message-----

Rob Stein

BMC FastUnload - ImageCopy - Auth Question
(in response to Rob Stein)
Politics - The ID running the job cannot have read access over the table and cannot unload the table directly either (yeah I know - they can see the unloaded data from the IC - ignore what to us is the bleeding obvious). Stuff like log readers are not an option in this case.

Not sure I entirely agree on security but from the DB2 point of view it looks that way - You still need RACF auth to the IC files (and to the compression dict for the compressed tables I assume), so it's not like it's unsecure.

Yeah - sorry - used the platinum (I'm too old to say CA) name instead of the bmc name but to be fair I used one in the title and the other in the detail, so got em both :-))

----- Original Message -----
From: Sevetson, Phil
To: '[login to unmask email]'
Sent: Thursday, January 26, 2012 2:03 PM
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question


Rob, I certainly _hope_ not. That would violate the security paradigm. Why not just have your friendly neighborhood DBADM or SYSADM run the job?




------------------------------------------------------------------------------

From: Rob Stein [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 11:26 AM
To: [login to unmask email]
Subject: [DB2-L] - BMC FastUnload - ImageCopy - Auth Question



Anyone know if you can unload from an imagecopy using BMC Unload+ WITHOUT needing select auth on the table??



-----End Original Message-----


-----End Original Message-----

Philip Sevetson

BMC FastUnload - ImageCopy - Auth Question
(in response to Rob Stein)
I think the problem is overconstrained at this point. The program running the unload _must_ have authorization to read (view) the data; that's what it's doing. It need not be a logon-capable ID, though.

--Phil

-----End Original Message-----

Mike Vaughan

BMC FastUnload - ImageCopy - Auth Question
(in response to Rob Stein)
If you wanted to jump through enough hoops, you actually could get unload+ to unload a table you did not have read access to. One of the features of unload+ is the ability to unload a table that no longer exists in the catalog (it's a feature that's saved my tail more times than I'd care to admit). In order to do this you feed the utility the imagecopy dataset as well as the DDL for what the table looks like (including OBID). If you use this and specify a table name that does not exist in the catalog (even though the imagecopy is from an object that does exist) then the utility would not have any "real" object to check access against and the unload would proceed even though you did not have access to the table. Of course, you would need access to the imagecopy dataset for this to work.

Mike.
From: Sevetson, Phil [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 3:52 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

I think the problem is overconstrained at this point. The program running the unload _must_ have authorization to read (view) the data; that's what it's doing. It need not be a logon-capable ID, though.

--Phil

-----End Original Message-----
</pre><br>-----Message Disclaimer-----<br><br>This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to [login to unmask email] and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation.<br><br> Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act (&quot;E-Sign&quot;) unless a specific statement to the contrary is included in this message.<br><br>While this communication may be used to promote or market a transaction or an idea that is discussed in the publication, it is intended to provide general information about the subject matter covered and is provided with the understanding that The Principal is not rendering legal, accounting, or tax advice. It is not a marketed opinion and may not be used to avoid penalties under the Internal Revenue Code. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, or accounting obligations and requirements.<br><pre>

Randy Bright

BMC FastUnload - ImageCopy - Auth Question
(in response to Mike Vaughan)
So far I think everything I've read in responses is correct.

With Unload Plus you can unload a table without DB2 table SELECT authority using the method Mike describes. There is no way to know that the real table name in the Catalog is the one specified in the DDL passed to Unload Plus. And as Mike points out this is very useful for unloading an image copy of a table that has been dropped (if you have the DDL, or course).

And as more than one person has pointed out, if a user has dataset access authority to the image copy dataset, why not allow unloading of the data? If you really want to secure your DB2 table data, you have to also secure all copies of that data.

If anyone has any additional questions, you can eMail me directly if you like.

P.S. Thanks to Steen for clearing up the official name of the product.

________________________________

Randy Bright
Solutions Architect
DB2 Utilities

phone: 512.340.6014
fax: 512.340.6647

10431 Morado Circle
Building 5
Austin, TX 78759

[cid:[login to unmask email]http://www.bmc.com



From: Vaughan, Mike [mailto:[login to unmask email]
Sent: Friday, January 27, 2012 3:27 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

If you wanted to jump through enough hoops, you actually could get unload+ to unload a table you did not have read access to. One of the features of unload+ is the ability to unload a table that no longer exists in the catalog (it's a feature that's saved my tail more times than I'd care to admit). In order to do this you feed the utility the imagecopy dataset as well as the DDL for what the table looks like (including OBID). If you use this and specify a table name that does not exist in the catalog (even though the imagecopy is from an object that does exist) then the utility would not have any "real" object to check access against and the unload would proceed even though you did not have access to the table. Of course, you would need access to the imagecopy dataset for this to work.

Mike.
From: Sevetson, Phil [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 3:52 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

I think the problem is overconstrained at this point. The program running the unload _must_ have authorization to read (view) the data; that's what it's doing. It need not be a logon-capable ID, though.

--Phil

-----End Original Message-----
Attachments

  • image001.gif (3.2k)

steen rasmussen

BMC FastUnload - ImageCopy - Auth Question
(in response to Randy Bright)
You're welcome Randy - and just like BMC Unload+ can unload a table from an image copy without the table existing, the same is possible with CA Fast Unload.

Happy weekend everyone (I'm now at 732 points).

Steen Rasmussen
CA Technologies


From: Bright, Randy [mailto:[login to unmask email]
Sent: Friday, January 27, 2012 5:56 PM
To: [login to unmask email]
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

So far I think everything I've read in responses is correct.

With Unload Plus you can unload a table without DB2 table SELECT authority using the method Mike describes. There is no way to know that the real table name in the Catalog is the one specified in the DDL passed to Unload Plus. And as Mike points out this is very useful for unloading an image copy of a table that has been dropped (if you have the DDL, or course).

And as more than one person has pointed out, if a user has dataset access authority to the image copy dataset, why not allow unloading of the data? If you really want to secure your DB2 table data, you have to also secure all copies of that data.

If anyone has any additional questions, you can eMail me directly if you like.

P.S. Thanks to Steen for clearing up the official name of the product.

-----End Original Message-----
-----End Original Message-----
________________________________

-----End Original Message-----


Rob Stein

BMC FastUnload - ImageCopy - Auth Question
(in response to steen rasmussen)
Thanks very much guys...... I had a memory of this been possible when I did real work as a dba but my knowledge has taken a nose dive now I play politics for a living :-( Not hard to give it the DDL, OBID and a false name :-) and we might have to resort to this method........... Thanks for the info....

Rob
----- Original Message -----
From: Rasmussen, Steen
To: [login to unmask email]
Sent: Saturday, January 28, 2012 10:05 AM
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question


You're welcome Randy - and just like BMC Unload+ can unload a table from an image copy without the table existing, the same is possible with CA Fast Unload.



Happy weekend everyone (I'm now at 732 points).



Steen Rasmussen
CA Technologies





From: Bright, Randy [mailto:[login to unmask email]
Sent: Friday, January 27, 2012 5:56 PM
To: [login to unmask email]
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question



So far I think everything I've read in responses is correct.



With Unload Plus you can unload a table without DB2 table SELECT authority using the method Mike describes. There is no way to know that the real table name in the Catalog is the one specified in the DDL passed to Unload Plus. And as Mike points out this is very useful for unloading an image copy of a table that has been dropped (if you have the DDL, or course).



And as more than one person has pointed out, if a user has dataset access authority to the image copy dataset, why not allow unloading of the data? If you really want to secure your DB2 table data, you have to also secure all copies of that data.



If anyone has any additional questions, you can eMail me directly if you like.



P.S. Thanks to Steen for clearing up the official name of the product.



-----End Original Message-----

-----End Original Message-----

-----End Original Message-----





-----End Original Message-----

Avram Friedman

RE: BMC FastUnload - ImageCopy - Auth Question
(in response to Randy Bright)

In addition to what Randy says about why do IC instead of unload (Because ICs usually need less copy protection security) there are addional reasons that are worth mentioning.

1. ICs can be input to recovery but UNLOADS may not.

2. The logical unit of backup in an IC is a CI and the logical unit of backup in an UNLOAD is a Row.  Usually CI << Row.

 

Best wishes
Avram Friedman

In Reply to Randy Bright:

So far I think everything I've read in responses is correct.

With Unload Plus you can unload a table without DB2 table SELECT authority using the method Mike describes. There is no way to know that the real table name in the Catalog is the one specified in the DDL passed to Unload Plus. And as Mike points out this is very useful for unloading an image copy of a table that has been dropped (if you have the DDL, or course).

And as more than one person has pointed out, if a user has dataset access authority to the image copy dataset, why not allow unloading of the data? If you really want to secure your DB2 table data, you have to also secure all copies of that data.

If anyone has any additional questions, you can eMail me directly if you like.

P.S. Thanks to Steen for clearing up the official name of the product.

________________________________

Randy Bright
Solutions Architect
DB2 Utilities

phone: 512.340.6014
fax: 512.340.6647

10431 Morado Circle
Building 5
Austin, TX 78759

[cid:[login to unmask email]http://www.bmc.com



From: Vaughan, Mike [mailto:[login to unmask email]
Sent: Friday, January 27, 2012 3:27 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

If you wanted to jump through enough hoops, you actually could get unload+ to unload a table you did not have read access to. One of the features of unload+ is the ability to unload a table that no longer exists in the catalog (it's a feature that's saved my tail more times than I'd care to admit). In order to do this you feed the utility the imagecopy dataset as well as the DDL for what the table looks like (including OBID). If you use this and specify a table name that does not exist in the catalog (even though the imagecopy is from an object that does exist) then the utility would not have any "real" object to check access against and the unload would proceed even though you did not have access to the table. Of course, you would need access to the imagecopy dataset for this to work.

Mike.
From: Sevetson, Phil [mailto:[login to unmask email]
Sent: Thursday, January 26, 2012 3:52 PM
To: '[login to unmask email]'
Subject: [DB2-L] - RE: BMC FastUnload - ImageCopy - Auth Question

I think the problem is overconstrained at this point. The program running the unload _must_ have authorization to read (view) the data; that's what it's doing. It need not be a logon-capable ID, though.

--Phil

-----End Original Message-----