An CA ACF2 Option for DB2 rule set controls access to DB2 resources. The rule sets are stored in the Infostorage database. They identify the DB2 users and the conditions that must be met for a user to access the resource.
To grant access to a DB2 resource, a security administrator must create, compile, and store an CA ACF2 Option for DB2 rule set in the Infostorage database. A security administrator is a user whose logonid has the SECURITY privilege. A scoped security administrator can create rule sets only for resources that are in their area of responsibility.
CA ACF2 Option for DB2 uses CA ACF2 Option for DB2 rule sets, resource MODE in the DB2 OPTS record, and the DB2 SAFELIST records to determine whether the request should be permitted. CA ACF2 Option for DB2 rule sets tell CA ACF2 Option for DB2 the conditions that must be met for users to be permitted to use the resource. The DB2 OPTS record tells CA ACF2 Option for DB2 how to react if no rules exist or the rules deny the request. The DB2 SAFELIST records tell CA ACF2 Option for DB2 what DB2 resources and acess levels should be permitted to all DB2 users.
The rule set that CA ACF2 Option for DB2 selects to perform the validation must match the:
Through resource grouping or masking, rule sets can apply to multiple resources, multiple subsystems, and multiple users. When CA ACF2 Option for DB2 finds a rule set that matches the resource name, type, and subsystem ID, CA ACF2 Option for DB2 validates whether you own the resource. If you are an owner, CA ACF2 Option for DB2 automatically lets you use the resource. If you are not an owner, CA ACF2 Option for DB2 checks further for a rule entry that matches your environment. If the rule entry matches the environment of the request you want to perform, CA ACF2 Option for DB2 checks the access permission to determine whether you should be allowed, allowed but logged, or prevented from performing the access.
If a rule that matches these conditions does not exist or the rule denies access, CA ACF2 Option for DB2 checks the rule sets that govern the use of administrative authorities such as SYSADM or DBADM. If none of these rule sets grant access, CA ACF2 Option for DB2 checks the DB2 OPTS infostorage record. This record tells CA ACF2 Option for DB2 what action to take if access is denied to a particular resource.
You can choose where you want to keep your CA ACF2 Option for DB2 rule sets and rule directories-common storage or in an address space. Globally resident rule sets and directories are built in common storage at CA ACF2 initialization. These let all users access the rule set without CA ACF2 Option for DB2 having to perform I/O to get the rule set from the Infostorage database. Locally resident rule sets are loaded into each user's address space when a request is made and are kept in the address space until the rules are reset or the session ends. Transient rule sets are never made resident, but are loaded into a user's address space when a request is made. See Use of NEXTKEY in Resource Rules for more information about directories.
Through the GSO INFODIR infostorage record, you can indicate that you want to make the CA ACF2 Option for DB2 directories global (in common storage) and the rule sets global or local (in the user's address space). See the “Using the GSO INFODIR Record” appendix in this guide for more information.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|