In security administration, you can perform your task more efficiently by making consistent use of groups, wildcards, and categories. This strategy will also produce runtime efficiency.
Using Groups
Your security strategy should isolate user roles that require similar types of privileges. You can then establish groups for each user role. This allows you to grant and revoke privileges at the group level, thus reducing the number of statements needed to administer the security scheme.
Note: Groups also enhance efficiency by improving runtime performance.
Comparison of Groups and No Groups
Without groups, you must list each user ID for each GRANT statement:
grant access on table qa.employee to psd, rkn, jfd, wxe, lsb; grant access on table qa.job to psd, rkn, jfd, wxe, lsb; grant access on table qa.benefits to psd, rkn, jfd, wxe, lsb; grant access on table qa.department to psd, rkn, jfd, wxe, lsb; grant execute on access module qa.empdbmod to psd, rkn, jfd, wxe, lsb; grant execute on access module qa.empdbret to psd, rkn, jfd, wxe, lsb;
Now to revoke privileges for one of the users, you must code a REVOKE statement for each GRANT statement:
revoke access on table qa.employee from rkn; revoke access on table qa.job from rkn; revoke access on table qa.benefits from rkn; revoke access on table qa.department from rkn; revoke execute on access module qa.empdbmod from rkn; revoke execute on access module qa.empdbret from rkn;
After you create the group, you list only the group name on each GRANT statement:
create group qagroup add user psd, rkn, jfd, wxe, lsb; grant access on table qa.employee to qagroup; grant access on table qa.job to qagroup; grant access on table qa.benefits to qagroup; grant access on table qa.department to qagroup; grant execute on access module qa.empdbmod to qagroup; grant execute on access module qa.empdbret to qagroup;
To revoke privileges from one of the users, you simply drop the user from the group:
alter group qagroup drop user rkn;
Using Wildcards
Your strategy should isolate resources that require similar types of security. You can then grant privileges on them using a wildcard. This allows you to implement your strategy at a higher level, thus eliminating the need to issue a GRANT statement for individual resources.
Wildcard Examples
Without wildcards, you must issue a separate statement for each table when you grant table access privileges:
grant access on table qa.employee to qagroup; grant access on table qa.job to qagroup; grant access on table qa.benefits to qagroup; grant access on table qa.department to qagroup; grant execute on access module qa.empdbmod to qagroup; grant execute on access module qa.empdbret to qagroup;
You can use a wildcard to grant table access privileges on all tables in the qa schema:
grant access on table qa.* to qagroup; grant execute on access module qa.* to qagroup;
Using categories
CA IDMS provides the category mechanism to help you to manage privileges on runtime resources efficiently.
Summary Example
This series of statements uses groups, wildcards, and categories to secure the resources available for two levels of use, as described in the definition of groups hrdisp and hrupd:
create group hrdisp description 'HR users who can display Employee' add user lsd, lhn, pxw, gsr, hxm, fbs; create group hrupd description 'HR users who can update Employee' add user gsr, hxm, fbs; create resource category benefits_display add access module appldict.prod.bendis add load module appldict.v0001.benefits add program cdmslib.bendisp add task bendisp; create resource category benefits_update add access module appldict.prod.benupd add program cdmslib.benupd add task benupd; grant execute on category benefits_display to hrdisp; grant execute on category benefits_* to hrupd;
|
Copyright © 2014 CA.
All rights reserved.
|
|