You can include parameters in the rule entry to limit access by:
To limit access to a resource by time of day or days of the week, use the SHIFT parameter. For example, define NORMAL as 9:00 AM to 5:00 PM Monday through Friday and store this information in a shift record in the Infostorage database. When a DBA in the accounting department tries to use CREATEDBC outside these times, CA ACF2 Option for DB2 denies access. The following rule gives the ability to use the CREATEDBC authority only during the shift defined as NORMAL.
$KEY(CREDBC) $TYPE(SYS) $SYSID(PROD) UID(**ACTDBA) ALLOW SHIFT(NORMAL)
The NORMAL shift record is defined in the Infostorage database as follows:
ACF6A062 SHIFT NORMAL STORED BY SECOFF ON 06/22/05 ‑ 09:38 DAYS(MO,TU,WE,TH,FR) TIME(0900‑1700)
You can also use the UNTIL and FOR parameters to limit access to a date or for a number of days. In the following rule, a finance user in the Los Angeles office can use the buffer pool BP0 on the TEST subsystem only until May 5, 2005.
$KEY(BP1) $TYPE(BPL) $SYSID(TEST) UID(LA***FIN) ALLOW UNTIL(05/05/05)
The following rule set shows how to limit access for five days from the day the rule is stored:
$KEY(BP1) $TYPE(BPL) $SYSID(TEST) UID(LA***FIN) ALLOW FOR(5)
See “Writing CA ACF2 Option for DB2 Rules,” for more information about these parameters.
With some DB2 resources, you can permit different levels of access such as update and delete. For example, you can update, delete, view, or insert data into tables. Similarly, you can load or drop databases. Each keyword that you can specify for the SERVICE parameter represents a different access level. The type of resource you are protecting determines the SERVICE keywords you can specify. For example, the following rule set gives finance managers the ability to update the FINANCE.MONTH_BUDGET table on the DB2 subsystem PROD. If they try to perform any other type of access, CA ACF2 Option for DB2 denies it.
$KEY(FINANCE.MONTH_BUDGET) $TYPE(TBL) $SYSID(PROD) UID(***FINMG) SERVICE(UPDATE) ALLOW
The next rule set lets the finance vice presidents have full access to the table FINANCE.MONTH_BUDGET. It also gives USER01, a clerk in the finance department, the authority to update this table’s data. USER01’s updates are logged.
$KEY(FINANCE.MONTH_BUDGET) $TYPE(TBL) $SYSID(PROD) UID(***FINCLUSER01) SERVICE(UPDATE) LOG UID(***FINVP) SERVICE(ALL) ALLOW
You can also write one rule entry that covers many users. The following rule set enables all finance users to view the data in this table, and still lets USER01 update the table and the vice presidents perform all levels of access.
$KEY(FINANCE.MONTH_BUDGET) $TYPE(TBL) $SYSID(PROD) UID(***FINCLUSER01) SERVICE(UPDATE) LOG UID(***FINVP) SERVICE(ALL) ALLOW UID(***FIN) SERVICE(SELECT) ALLOW
The flexibility of the UID enables you to write fewer rules to cover multiple users.
The COLUMN parameter lets you limit access to columns in a table. Use the COLUMN parameter with the UPDATE or REFER keyword of the SERVICE parameter to specify the columns that a user can update or reference. For example, the following rule lets the personnel manager update the EMPLOYEE_BENEFITS table, but he is limited to updating the NAME and NO_OF_DEPS columns. Other users in the personnel department can select the table and view all of the data.
$KEY(EMPLOYEE_BENEFITS) $TYPE(TBL) $SYSID(PROD) UID(**PERMG) SERVICE(UPDATE) COLUMN(NAME,NO_OF_DEPS) ALLOW UID(**PER) SERVICE(SELECT) ALLOW
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|