Change ZPARM Values

Mohamed Esmael

Change ZPARM Values

Dear All 

we implement SOD (Segregation of duties) on DB2 v.11 Z OS , we want to separate SYSADM from doing Security relates issues as we will enable DB2 Internal security and use SECADM , we have concern about 

1- Who can edit / update ZPARM fields  (SYSADM or SECADM) as there is security related fields ?

 

 

James Campbell

Change ZPARM Values
(in response to Mohamed Esmael)
1) anyone with update access to a library in xxxxMSTR STEPLIB concatenation. This can be
used to supply new values when Db2 is started or a -SET SYSPARM is issued

2) some tools allow dynamic modifications to the internal control blocks You need to read the
documentation on the tools you have.

3) Any program with AC(1) in an authorised library can do anything. You need to have
controls around their usage.

4) No scheme is perfect. Especially anything you read on the Internet. And, yes, this as well.

James Campbell

On 11 Feb 2018 at 1:36, Mohamed Esmael wrote:

>
> Dear All 
> we implement SOD (Segregation of duties) on DB2 v.11 Z OS , we want to separate SYSADM
> from doing Security relates issues as we will enable DB2 Internal security and use SECADM , we
> have concern about 
> 1- Who can edit / update ZPARM fields  (SYSADM or SECADM) as there is security related fields
> ?
>  

Avram Friedman

RE: Change ZPARM Values
(in response to Mohamed Esmael)

My suggestion are
1. and most important
lock down update access to SDSNLOAD and SDSNEXIT so no one can do it typically
Systems options should only be changed with a well documented and reviewed change request.

2. Always change ZPARMS by using the install CLIST
This is the best method for insuring the DSNTIAD member gets updated

When it is time to change the ZPARM
Obtain a firecall ID from the point of control who will verify that there is an approved change request
Assemble or copy the new ZPARM load module to the target dataset (usually SDSNEXIT)
Use SETPARM or Subsystem restart to invoke the change

Someone may ask about  the use of hidden ZPARMS
I do not support there use at all
If you have to ask about how to control ZPARM updates then you clearly do not want to consider them

 

Avram Friedman
DB2-L hall of fame contributer
DB2-L acting administrator

[login to unmask email]

Mohamed Esmael

RE: Change ZPARM Values
(in response to James Campbell)

Thanks a lot for your reply , i have another issue 

 on DB2 when we analyze the data that extracted from Catalog tables , we conclude that the Qualifier (Schema) has privileges on some objects how can we Apply that on RACF Access Control 

Thanks in advance