Previous Topic: What Are Infostorage Records?Next Topic: What Are CA ACF2 Option for DB2 Rules?

Introducing CA ACF2 Option for DB2What Are Infostorage Records?What Are DB2 Records?

What Are DB2 Records?

DB2 records contain options that apply to each DB2 subsystem. Using the SYSID, you can create separate records for each subsystem to tailor these options to your site’s needs or you can share one record among multiple resources.

EXITS Record

Defines which exits apply to each DB2 subsystem. You can use exits to alter the access recommendation from CA ACF2 Option for DB2. Exits can receive control before and after CA ACF2 Option for DB2 rule validation.

OPTS Record

Defines the level of protection that you want for each DB2 resource on a particular subsystem. The level of protection is defined as the mode. Modes can ease your transition to full CA ACF2 Option for DB2 security for each subsystem. CA ACF2 Option for DB2 checks this record during DB2 startup to determine whether the record is active for the DB2 subsystem. Then CA ACF2 Option for DB2 uses this information during a rule validation to help determine what level of protection is in effect for each resource. For each resource in the OPTS record, you can choose the following modes:

OPTS Record Modes

Description

QUIET

Lets you write and store rules without affecting access to resources. Users can access resources without creating violation records.

LOG

Lets you adjust rules as needed because logging records of violations tell you where adjustments are needed. Users can continue to access resources, but CA ACF2 Option for DB2 checks the rules that apply to each request and verifies each user’s logonid. Access attempts that are invalid according to a rule or because no rule exists are granted but logged.

RULE

Lets you migrate CA ACF2 Option for DB2 rules to full ABORT mode on a rule set basis.

ABORT

Recommends that CA ACF2 Option for DB2 deny the access. Access attempts that are ultimately denied are logged. This is the default value.

SAFELIST Record

The SAFELIST record defines which resources are for unrestricted access. You can add resources to the safelist that do not need to be restricted from any users. For resources that are on the safelist, there is no interaction with the base security product. Access is automatically granted without doing a security call.

Note: Since there is no security call done there will be no logging. When new SAFELIST records are inserted, DB2 must be stopped and started for them to be active.