Previous Topic: Securing System ProfilesNext Topic: Securing Programs

Securing System ResourcesSecuring Resources That can Be caca

Securing Resources That can Be caca

About Categories

If you secure certain system resources internally, you must group occurrences of these resources in categories and grant execution privilege on the categories to allow access.

You create categories using CREATE RESOURCE CATEGORY statements. You authorize access with GRANT EXECUTE ON CATEGORY statements.

External Security

Categories are not meaningful to external security enforcement. However, you can choose to specify external security for any resource type that can be categorized.

If you specify external security for a resource type that can be categorized, you must also specify in the external security system rules for all occurrences of the resource type.

Resource Types That Can Be Categorized

This table shows resource types that can be categorized and the resource type keywords that you specify in the SRTT to secure them.

Note: Run units and access modules are secured internally by specifying resource type 'DB'.

Resource

SRTT

keyword

 

Internal security

External security

Task

TASK

TASK

Load module

SLOD

SLOD

Access module(1)

DB(1)

SACC

Program

SPGM

SPGM

Run unit

DB(1)

NRU

Queue

QUEU

QUEU

(1) For more information about securing the DB resource type, see Securing Database Resources.

Wildcards

To simplify the process of category management, you can use wildcards when you specify the resource occurrences to add to a category.

In this example, load modules, tasks, and queues associated with an accounts receivable application are added to a category:

create resource category ar
  add load module appldict.v0001.car*
  add task car
  add queue car*, ap* ;

You can also wildcard the category name when you grant privilege. For example, if you create several categories for the accounts receivable application and assign names that begin 'AR', you can grant privilege on all of the accounts receivable categories in this way:

grant execute on category ar*
  to ar_sys_admin;

Implementing Security by Category

The following are the steps to implement security using categories:

  1. Create categories for groups of resource occurrences.
  2. Grant users execution privilege on categories.
  3. Activate internal security for each categorized resource type.