To help you get from DB2 security to CA ACF2 Option for DB2, the table below lets you quickly review how DB2 concepts relate to CA ACF2 Option for DB2 security concepts.
|
DB2 Security Feature |
CA ACF2 Option for DB2 Feature |
|---|---|
|
Connecting to DB2 |
|
|
Performing SAF call |
SAF call performed |
|
Connecting with primary ID |
Logonid defined for each ID |
|
Associating with secondary IDs |
Supported, but UID might replace |
|
Protecting DB2 data sets |
Use CA ACF2 access rules |
|
Retrieving data through DDF |
Supported |
|
Defining DB2 Resource |
|
|---|---|
|
These resources are protected through privileges and ownership concepts: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Multiple DB2 subsystems |
Create multiple DB2 OPTS infostorage records with different SYSIDs—use maskable $SYSID or Group SYSID. Assign the same GSYSID value to each different subsystem and use that value in the $SYSID rule. |
|
Controlling Access to DB2 Resources |
|
|---|---|
|
Explicit privileges (GRANT/REVOKE) |
Use CA ACF2 Option for DB2 rules |
|
Implicit ownership |
Use $UIDOWNER/$LIDOWNER in rules |
|
Executing plans or packages |
Create, compile, and store rule |
|
Subsetting tables through use of views |
Same as DB2 |
|
UPDATE and REFERENCES privileges to a selected column |
Use SERVICE and COLUMN on rules |
|
Using primary or secondary IDs to control access |
UID determines access—Secondary IDs are supported if needed |
|
Granting PUBLIC access |
Specify UID(*) on rules or insert resources on SAFELIST |
|
Granting access to an object |
Create, compile, and store rule |
|
Dropping an object |
Does not affect privileges |
|
Changing object’s ownership |
Change, recompile, and store rule |
|
Not available |
Grouping resources |
|
Providing Additional Controls |
|
|---|---|
|
Grouped authorities: |
Use CA ACF2 Option for DB2 rules or privileges |
|
Use $KEY(ACCESSCTRL) on rule |
|
Use $KEY(DATACCESS) on rule |
|
Use SERVICE(DBADM) on database rule |
|
Use SERVICE(DBMAINT) on database rule |
|
Use SERVICE(DBCTRL) on database rule |
|
Use SERVICE(PACKADM) on collection rule |
|
Use $KEY(SECADM) on rule |
|
No rule—same as native DB2 security |
|
No rule—same as native DB2 security |
|
Use $KEY(SQLADM) on rule |
|
Use $KEY(SYSADM) on rule |
|
Use $KEY(SYSCTRL) on rule |
|
Use $KEY(SYSOPR) on rule |
|
Use $KEY(SYSDBADM) on rule |
|
BINDAGENT |
Use $KEY(BINDAGENT.logonid) on rule |
|
No equal authority |
Scoped SECURITY |
|
WITH GRANT OPTION |
Use %CHANGE or %RCHANGE |
|
REVOKE cascade effect |
No cascade effect |
|
Not available |
Shift and zone processing |
|
Processing Security Information |
|
|---|---|
|
Updates catalog with GRANT/REVOKE |
Does not update or reference catalog |
|
Checks catalog during validation |
Checks CA ACF2 Option for DB2 rules |
|
Checks at bind or execution for binding of plans or packages (static SQL) |
Checks when DB2 does |
|
Checks owner during bind of plan or package |
Checks owner during bind |
|
use of security tables |
Not needed—uses CA ACF2 Option for DB2 rules and DB2 records instead |
|
Sign‑on/attach connection exits |
Still available |
|
Migrating from DB2 Security |
|
|---|---|
|
All GRANTs in catalog |
Conversion utility creates rules |
|
|
Use infostorage record to phase in subsystems |
|
|
Use infostorage record to phase in subsystems |
|
|
Use infostorage record to phase in resources |
|
|
Use $MODE in rules to phase in rule sets |
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|