When you install DB2 at your site, you should protect access to the DB2 subsystem, to the data sets used by DB2, and to DB2 resources.
Access to a specific DB2 subsystem is controlled outside of DB2. To connect to DB2, you do not sign on. Instead, DB2 calls the System Authorization Facility (SAF) when you first make a request to DB2. SAF is an IBM facility that routes security information between DB2 and the z/OS security software. SAF can control access to the DB2 subsystem because it determines whether you are authorized to use DB2 and whether you are authorized to use a particular DB2 subsystem.
See the appendix “Using SAF,” in the CA ACF2 Option for DB2 Getting Started for more detailed information about how to use the CA ACF2 Security for z/OS (CA ACF2) SAF interface to control connections to the DB2 subsystem.
You can also access data associated with one DB2 subsystem through another DB2 subsystem. This facility is called the distributed data facility (DDF).
DB2 uses VSAM linear data sets to store its data. A user can access these data sets without going through the DB2 subsystem at all. Facilities such as Access Method Services (AMS) commands can access these data sets outside the DB2 address space. To fully protect the data in DB2, you must ensure that access to DB2 data sets is controlled. You also must ensure that data sets created by certain DB2 activities, such as DB2 archive logs, full image copy data sets, and so on, are protected.
You can use CA ACF2 to protect DB2 data sets, including the DB2 catalog, directory, Bootstrap Data Set (BSDS), active log data sets, and so on. This also ensures that you use a single security architecture throughout your operating system. See CA ACF2 Administrator Guide for more information about protecting z/OS data sets and resources.
In DB2, you can control access to DB2 resources in several ways:
These topics, including DB2 resources and authorization IDs, are discussed in the following sections.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|