The synchronization process correlates the included users’ authorizations in the DB2 catalog with the users’ authorizations in CA ACF2 Option for DB2 for the included resources. REVOKE statements are generated for included users for privileges they hold in the DB2 catalog, but not in CA ACF2 Option for DB2, for the included resources. Similarly, GRANT statements are generated for included users for privileges they hold in CA ACF2 Option for DB2, but not in the DB2 catalog, for included resources. If the included user holds the same privilege in both the DB2 catalog and in CA ACF2 Option for DB2, nothing is generated. The optional CADB2SED trace report shows the privileges the included users hold in the DB2 catalog for the included resources. The optional CADB2SUA trace report shows the privileges the included users hold in CA ACF2 Option for DB2 for the included resources. When multiple privileges are revoked from a user for the same resource, only one revoke statement is generated. Similarly, only one grant statement is generated when multiple privileges are granted to a user for the same resource. The generated revoke statements are written to the REVOKE file and the CADB2SGS report. The generated grant statements are written to the GRANT file and the CADB2SGS report.
To remove superfluous authorizations from the DB2 catalog, such as those for users who no longer exist, specify the OPTIONS(REVOKEALL) statement. The synchronization process then generates revoke statements for privileges held in the DB2 catalog by non‑included users for included resources without regard for what they hold in CA ACF2 Option for DB2. The CADB2SED optional trace report shows these privileges. The CADB2SGS report shows the generated revoke statement that is written to the REVOKE file.
The SECURITY and NON‑CNCL privileges grant the logonid access to all DB2 resources and therefore create a large number of GRANT statements. The large volume of statements can be difficult to process. If you do not want CA ACF2 Option for DB2 to create GRANT statements based on any of these privileges, you can specify the NOPRIVCHECK option in the SYNC control statement. The result is that GRANT statements are generated based only on the appropriate resource rules.
UID masking in a rule (in particular, UID(*)) can generate a large number of GRANT statements when a resource matching that rule is synchronized. We provide a special GRANT TO PUBLIC option that lets you direct the synchronization utility to generate a single grant to a special authorization ID (PUBLIC) instead of generating individual grants to all users being synchronized. This greatly reduces overhead and saves time in resource checking.
The Catalog Synchronization Utility does not alter ownership information in the DB2 catalog in any way. CA ACF2 Option for DB2 does, however, indicate when a user is an owner so that it can include the WITH GRANT OPTION to owners on the SQL GRANT statement.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|