DB2 defines the following resources and protects them through explicit or implicit privileges:
DB2 grants and revokes explicit privileges through SQL GRANT and REVOKE statements. Implicit privileges come with ownership of a resource. DB2 records privileges in the DB2 authorization catalog. Each row in the catalog table represents one privilege granted to an authorization ID. When you try to perform a function, DB2 checks the catalog table for each of your IDs until one has the required privilege assigned to it. DB2 then lets you access the resource if the privilege is found or denies access if the privilege is not found.
CA ACF2 Option for DB2 protects everything that native DB2 security protects. CA ACF2 Option for DB2 also lets you provide a better level of protection for each DB2 resource. CA ACF2 Option for DB2 defines these DB2 resources and protects them using the following fields in the DB2 OPTS infostorage record:
|
OPTS Record Fields |
Description |
|---|---|
|
BPLMODE |
Protects the use of buffer pools |
|
CONMODE |
Protects trusted contexts |
|
DBSMODE |
Protects databases |
|
FNCMODE |
Protects functions |
|
JARMODE |
Protects JAVA archive files |
|
PLNMODE |
Protects application plans, packages, and collections |
|
PRCMODE |
Protects stored procedures |
|
ROLMODE |
Protects roles |
|
SCHMODE |
Protects schemas |
|
SEQMODE |
Protects sequences |
|
STGMODE |
Protects the use of storage groups |
|
SYSMODE |
Protects system privileges and utilities |
|
TBLMODE |
Protects tables, views, and indexes |
|
TSPMODE |
Protects the use of table spaces |
|
TYPMODE |
Protects distinct types |
When CA ACF2 Option for DB2 checks authorization, it also locates the OPTS record that corresponds to the DB2 subsystem. The DB2 OPTS record defines the mode of protection for each resource and whether CA ACF2 Option for DB2 is protecting that DB2 subsystem. The mode of protection of each resource is the access recommendation that CA ACF2 Option for DB2 makes when a request for a DB2 resource is considered a violation. When CA ACF2 Option for DB2 validates a rule set for a particular resource and access is denied, it uses the mode information in the OPTS record to make an access recommendation. See “Processing Security Information” for more information about how the DB2 OPTS record is used.
For operating systems that contain multiple DB2 subsystems, you can create a DB2 OPTS infostorage record for each DB2 subsystem or, by masking the SYSID, one record that represents multiple DB2 subsystems.
You can select from the following modes:
|
OPTS Record Modes |
Description |
|
QUIET |
Checks logonids, but does not validate data accesses (ignores CA ACF2 Option for DB2 rules) |
|
LOG |
Permits the request, but records the access that would be denied |
|
RULE |
Checks the rule’s $MODE and specifies access conditions if $MODE or the rule is absent |
|
ABORT |
Denies the request, and logs the attempt. |
These modes enable you to migrate and tailor your security processing to suit your site’s needs. See “Introducing CA ACF2 Option for DB2,” and “Defining DB2 Records” in this guide for more information about modes. See “Implementing CA ACF2 Option for DB2,” in the Getting Started for information about implementing this protection.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|