ACF command

The CA ACF2command that is used to create, change, list, and delete CA ACF2 Option for DB2 rules and records dynamically and under strict controls. You can use this command in batch, TSO, ISPF, and other facilities.

Authority

A list of DB2 privileges, usually over a set of objects.

CA ACF2 Option for DB2 rules

The infostorage records that specify who can access what data under what conditions or environments. They define the conditions for accessing particular resources, and whether access is prevented, allowed, or allowed but logged. These rules are compiled for efficient storage in the Infostorage database and CA ACF2 Option for DB2 refers to them only when needed.

Cascade effect

The effect of revoking a DB2 privilege from an ID. When a privilege is revoked from an ID, DB2 revokes the privilege from all IDs that were granted the privilege by the granting ID. If the IDs obtained the privilege from another source, they retain the privilege.

Catalog

All DB2 security tables.

Current SQL ID

The DB2 ID that is used as the implicit qualifier of table, view, and index names in dynamic SQL statements. The SQL ID, with the other authorization IDs of the process, is used to check the authority of the process to issue dynamic SQL statements.

Dynamic SQL

SQL statements that are prepared and executed in a DB2 program while the program is executing. Dynamic SQL source statements are contained in host application variables rather than directly coded into the application program.

Explicit privilege

A specific DB2 privilege that a GRANT statement gives to a process.

Implicit privilege

A DB2 privilege that comes with ownership of an object.

Infostorage database

A central database that contains the CA ACF2 Option for DB2 records and rules. It also contains Global System Option (GSO) records, entry records, shift and zone records, scope records, and additional system and user data.

Install SECADM

In DB2 Version 10 and above, two roles or authids are designated as security administrators by defining them as SECADM authids. These authids have the authority to perform the GRANTS and REVOKES of native DB2 security and to control security definitions such as row permissions and column masks.

Install SYSADM

A DB2 “system administration” authority that is given to IDs when DB2 is installed. These IDs have other privileges in addition to all of the privileges of SYSADM.

Install SYSOPR

A DB2 “system operation” authority that is given to IDs when DB2 is installed. These IDs have other privileges in addition to all of the privileges of SYSOPR.

Object

Anything that SQL can create or manipulate such as a database, table, view, or table space. DB2 also contains resources that are not objects such as system privileges and utilities. The CA ACF2 Option for DB2 term DB2 resources refers to all DB2 objects, system privileges, and utilities.

Owner

The owner of a DB2 resource automatically holds certain privileges over it. In DB2, you establish ownership when an object (except for an application plan or package) is created. In CA ACF2 Option for DB2, the $LIDOWNER or $UIDOWNER control statement in an CA ACF2 Option for DB2 rule determines ownership.

Password

A string of characters that a user chooses to protect his unique logonid.

Primary authorization ID

An ID that represents a process to DB2. This ID identifies the user to DB2. Typically, the primary authorization ID is also the user’s original authorization ID, unless an exit changes it.

Privilege

In DB2, a privilege enables a user to perform a specific function, usually on a specific object. In CA ACF2 Option for DB2, a privilege refers to a logonid field that defines a user’s access to system data, resources, and CA ACF2 Option for DB2 rules and records.

Process

Any user, program, transaction, or other action that accesses DB2 data. When a process gains access to DB2, it is associated with a primary authorization ID, SQL ID, and one or more secondary authorization IDs.

Resident rules

CA ACF2 Option for DB2 rules that remain in common storage. This practice reduces the I/O operation to the Infostorage database required by heavily used rules during resource validation.

Resource

A DB2 object, system privilege, or utility that must be controlled.

Scoping

An CA ACF2 Option for DB2 feature that limits the CA ACF2 logonid privileges of a user. It restricts the control that a user is granted by the privilege. For example, you can scope a security administrator so that he is limited to only infostorage records and data for the accounting department, while an unscoped security administrator can change all infostorage records and access all data.

Secondary authorization ID

An optional ID that can hold additional DB2 privileges available to the process. Also called secondary accessor ID.

Security administrator

A person who implements, coordinates, and enforces security. The central security administrator can also decentralize security administration by creating scope records or authorizing other administrators through the %CHANGE or %RCHANGE control statement in the CA ACF2 Option for DB2 rule set. This decentralized authority can be limited (or scoped) to specific groups of resources.

SQL

A Structured Query Language that can be used within DB2 to access data and to control access to resources through GRANT and REVOKE statements.

Static SQL

SQL statements that are embedded in an application program while the program is being coded and before it is executed.

SYSADM

A DB2 system administration authority that gives control over nearly all DB2 resources except the directory and catalog databases. It includes the privileges of Install SYSOPR and DBADM. IDs granted SYSADM can access all data.

SYSCTRL

A DB2 system control authority that gives security control over nearly all DB2 resources. IDs granted SYSCTRL cannot access user data.

SYSOPR

A DB2 system operation authority that includes the privileges to issue certain DB2 commands and to grant those commands to others.

User identification string (UID)

A string of fields from a user’s logonid record that is used in CA ACF2 Option for DB2 rules to identify individual users or groups of users for access to resources. The site selects fields of the logonid record that group users in ways that the logonid cannot for resource access validation.