Because CA ACF2 Option for DB2 journals events in the same SMF records as CA ACF2, standard CA ACF2 reports show both CA ACF2 and CA ACF2 Option for DB2 information. These fields are explained in the order in which they appear in the report formatted for the terminal. They are explained in terms of the CA ACF2 Option for DB2 information that might appear in them.
Names the resource to which access is being requested. The resource is identified by the infostorage record key in the format below:
class‑type‑name
The segments of the infostorage key for a DB2 resource are explained below:
class and type
The storage class can be C(for control records) with a type code of DB2, or D(for CA ACF2 Option for DB2 rules) with a type code of one of the following:
|
Type Code |
Description |
|---|---|
|
BPL |
Buffer pool |
|
COL |
Collection |
|
CON |
Trusted context |
|
DBS |
Database |
|
FNC |
Function |
|
JAR |
JAR file |
|
PKG |
Package |
|
PLN |
Application plan |
|
PRC |
Stored procedure |
|
ROL |
Role |
|
SCH |
Schema |
|
SEQ |
Sequences |
|
STG |
Storage group |
|
SYS |
System privilege or utility |
|
TBL |
Table |
|
TSP |
Table space |
|
TYP |
Distinct type |
The name of the key consists of the four‑character DB2 subsystem ID followed by the resources name of the requested DB2 resource:
Note: Information contained in these reports might also include infostorage record keys for resource rules, which use different class and type codes, and different formats for the names of resources. In particular, an infostorage record key for a resource rule to validate SAF calls is formatted as follows:
R‑SAF‑xxxx.yyyyy
This key is explained in more detail in Appendix B, “Using SAF,” in the CA ACF2 Option for DB2 Planning and Installation Guide.
Indicates whether the record is a logging, violation, or trace record. Violation records are highlighted with an asterisk (*) before this field.
Indicates the name of the CA ACF2 Option for DB2 rule set that was used to validate the request. This name shows any modifications to the resource name from the DB2PRE Prevalidation exit or the CA ACF2 directory.
Lists the requester’s user identification string (UID).
Shows the logical input source where the resource request was issued.
Lists the SMF name of the CPU that validated this resource request.
Names the requesting module as identified in the CA ACF2 Option for DB2 request parameter list. This might be a user‑supplied name. A possible CA ACF2 standard value is:
TSO logon processing validation.
Names the element that determined the disposition of this request:
A record matching the requested resource was not found in the CA ACF2 Infostorage database.
A rule entry matching the environment of the request was not found in the rule set.
An CA ACF2 Option for DB2 rule entry determined the disposition of this request.
Details the various exits and conditions that can modify the disposition.
A user DB2PRE Prevalidation exit altered the final request disposition.
A user DB2POST Postvalidation exit altered the final request disposition.
The requester’s logonid was not canceled so the request was permitted.
The requester was a security administrator so the request was permitted.
The request was unconditionally aborted.
Indicates the resource validation component that modified the key. CA ACF2 modifies the resource name to perform a database lookup operation.
The user DB2PRE Prevalidation exit altered the request key.
A CA ACF2 directory matched the key and modified it.
Both the user DB2PRE Prevalidation exit and the CA ACF2 directory modified the request key.
Shows the type of service requested for a particular DB2 resource. This field corresponds to the DB2 privilege or authority, which is shown in parentheses in the following table. The possible three‑ to four‑character abbreviations for each type of resource are as follows:
|
|
|
Distinct Type |
|
|
|
|---|---|---|---|---|---|
|
CRIN (CREATE) |
DADM (DBADM) |
USE (USAGE) |
EXEC (EXECUTE) |
USE (USAGE) |
BIND |
|
PADM (PACKADM) |
DCTL (DBCTRL) |
|
|
|
COPY |
|
|
DMNT (DBMAINT) |
|
|
|
EXEC (EXECUTE) |
|
|
CTAB (CREATETAB) |
|
|
|
|
|
|
CTSP (CREATETS) |
|
|
|
|
|
|
DISP (DISPLAYDB) |
|
|
|
|
|
|
DROP |
|
|
|
|
|
|
IMAG (IMAGCOPY) |
|
|
|
|
|
|
LOAD |
|
|
|
|
|
|
RCOV (RECOVERDB) |
|
|
|
|
|
|
RORG (REORG) |
|
|
|
|
|
|
REPR (REPAIR) |
|
|
|
|
|
|
STRT (STARTDB) |
|
|
|
|
|
|
STAT (STATS) |
|
|
|
|
|
|
STOP (STOPDB) |
|
|
|
|
|
|
|
|
Stored Procedure |
|
|
|---|---|---|---|---|---|
|
BIND |
ALTR (ALTERIN) |
ALTER |
EXEC (EXECUTE) |
ALTR (ALTER) |
ADM1 |
|
EXEC (EXECUTE) |
CRIN (CREATEIN) |
|
|
DEL (DELETE) |
CREV (CREATE)2 |
|
|
DROP (DROPIN) |
|
|
INDX (INDEX) |
DEL (DELETE) |
|
|
|
|
|
INS (INSERT |
INS (INSERT) |
|
|
|
|
|
REF (REFER) |
SEL (SELECT) |
|
|
|
|
|
SEL (SELECT) |
UPDT (UPDATE) |
|
|
|
|
|
TRIG (TRIGGER) |
|
|
|
|
|
|
UPDT (UPDATE) |
|
1ADM is not a privilege or authority that you can grant in a rule set. Because CA ACF2 Option for DB2 prevents users from creating views with more authority than they have on the base tables or views, CA ACF2 Option for DB2 reports ADM in this field when a creator of a view can change the view rule set but not the base table or view rule set. Also, it is reported against the base table or view, not the view being created. See “Creating Views” in the Processing Security Information section in “Comparing DB2 and CA ACF2 Option for DB2 Features,” chapter for more information about creating views.
2CREATE is not an IBM DB2 privilege or authority. CA ACF2 Option for DB2 uses it as a check to determine whether a user can create or drop a view. See the section discussed above for more information about creating views.
An entry in the RV report with SERVICE(OWN) is a request for OWNERSHIP. Ownership is not a SERVICE and cannot be specified in the SERVICE parameter of a rule. Ownership in a rule is established with the $LIDOWNER control statement, giving ownership to a certain unique logonid, or with the $UIDOWNER control statement, giving ownership to one or more individual logonids that match the UID mask.
Notes the Julian and Gregorian date on which the request was made. Through the CA ACF2 Global System Option (GSO) OPTS DATE, you can specify MM/DD or DD/YY for the Gregorian format.
Documents the time at which the request was made.
Identifies the name of the job under which the access was issued. If this is a TSO session, the job name and the logonid are generally the same.
Identifies the logonid of the user making the request.
Shows the name of the user making the request.
Documents the return code from the user DB2PRE Prevalidation exit. Possible return codes are:
0—Continue normal processing
4—Logonid not found
8—Allow and log request
20—Prevent request
Shows the return code from the CA ACF2 record manager. Possible return codes are:
0—Record was already resident
4—I/O needed to obtain record
8—Record was not found
Shows the return code from the rule interpreter. Possible return codes are:
0—Allow request
4—Allow and log request
16—Prevent access
20—No rule applies
24—Rule record not proper format
Shows the return code from the user DB2POST Postvalidation exit. Possible return codes are:
0—Continue normal processing
4—Allow request
8—Allow and log request
20—Prevent request
Indicates the final return code from the CA ACF2 resource validation function. Possible return codes are:
0—Allow
4—Allow and log
16—Prevent request
Specifies the ID that a process, or a user, is associated with during a DB2 session. An exit can set this ID prior to connecting to DB2.
Indicates the ID that the user is associated with before a DB2 exit changed it. Typically, the primary and the original authorization IDs are the same, but a DB2 exit can change it.
Lists all of the secondary authorization IDs a user is associated with through a DB2 exit. These IDs give the user privileges that are added to the privileges of his primary authorization ID.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|