To ease the administrative burden of granting similar groups of privileges over and over again, DB2 groups privileges into functional authorities, which are granted just like privileges. These authorities are:
Users with many of these authorities have access to the resources that they control. The SYSADM and DATAACCESS authorities have access to all user databases and cannot be restricted from any database. Users with SYSCTRL, ACCESSCTRL, and SQLADM authorities have access to DB2 catalog tables but no access to user data. The system DBADM authority can create and drop most DB2 objects and has access to DB2 catalog tables, but no access to user data. The DBADM, DBCTRL, and DBMAINT authorities are restricted to the database named in the GRANT statement. They cannot be restricted from any object in that database. The PACKADM authority is restricted to the collection named in the GRANT statement. A user with PACKADM authority on a collection cannot be restricted from any package in the collection.
With CA ACF2 Option for DB2, you can continue to use the authorities that DB2 has defined. CA ACF2 Option for DB2 rules control all authorities except Install SYSADM and Install SYSOPR. These two authorities are defined at DB2 installation in the subsystem initialization parameters (DSNZPARM). CA Technologies recommends that your site carefully monitor and trace the use of these authorities so that they are properly used.
In native DB2, the authids or roles with SECADM authority are also defined in the subsystem initialization parameters (DSNZPARM) at DB2 initialization. However, with CA ACF2 Option for DB2, those authids or roles are not associated with the SECADM authority. The SECADM authority is controlled with a system authority resource rule the same way other system authorities are controlled. The $KEY of the rule names the SECADM authority. For rule sets that control system authorities, the $KEY of the rule names the system authority (for example, SYSADM or SYSOPR). For rule sets that control database authorities, the SERVICE parameter of the database rule names the database authorities and privileges (for example, DBADM, DBCTRL, REPAIR, and so on) that apply.
With CA ACF2 Option for DB2 rules, you can also limit the access that these authorities have to a resource by time, day, or date. The SHIFT parameter on the CA ACF2 Option for DB2 rule lets you specify the name of a shift record, which defines the time, days, or dates that users can access the resource. For example, suppose you define a shift named NORMAL, which runs from 9:00 AM to 5:00 PM. If you include SHIFT(NORMAL) in the rule entry, users associated with that shift can use the identified resource only during those hours.
The following rule sets let the data processing vice presidents (identified by DPVP in their UIDs) use the DISPLAY command on the PROD DB2 subsystem during the NORMAL shift. CA ACF2 Option for DB2 checks each rule set to determine if the DPVP is authorized to use the DISPLAY command or has the SYSOPR authority, which permits him to issue the DISPLAY command. If rule set grants permission, the DPVP can issue the DISPLAY command during the NORMAL shift on the PROD DB2 subsystem.
$KEY(SYSOPR) $KEY(DISPLAY) $TYPE(SYS) $TYPE(SYS) $SYSID(PROD) $SYSID(PROD) UID(***DPVP) ALLOW SHIFT(NORMAL) UID(***DPVP) ALLOW SHIFT(NORMAL)
The following example shows that a DPVP has the DBADM authority on the FINPAY database for the PROD subsystem. In this example, the DPVP has DBADM only on weekends (a shift named WEEKEND has already been defined). Note that because DBADM is a database authority, the type code is DBS.
$KEY(FINPAY) $TYPE(DBS) $SYSID(PROD) UID(***DPVP) SERVICE(DBADM) ALLOW SHIFT(WEEKEND)
CA ACF2 Option for DB2 also defines special privileges you can use in place of DB2 authorities. These special logonid privileges (SECURITY and AUDIT) let you control which users can insert, update, delete, or view CA ACF2 Option for DB2 rules and records in the Infostorage database. By controlling who can update rules, you control who can perform functions on resources.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|