Access Control

Comparing DB2 and CA Top Secret Option for DB2 › Access Control

Access Control

The following table compares native DB2 access controls to CA Top Secret Option for DB2 access controls.

Native DB2 Access Controls	CA Top Secret Option for DB2 Access Controls
DB2 controls access to its resources through the following: Explicit assignment of privileges Implicit ownership of resources Privileges associated with plan execution Use of views Use of update privilege to columns DB2 uses several types of IDs to control access to data: Primary authorization Ids Secondary authorization Ids SQL IDs	CA Top Secret Option for DB2 secures all functions performed on DB2‑related resources through the TSS PERMIT command function. It does not eliminate privileges from DB2; it enhances how you administer these privileges. In place of GRANT and REVOKE statements, CA Top Secret Option for DB2 permits the use of a DB2 resource to a user. CA Top Secret Option for DB2 checks the authorization when a user requests a DB2 resource and determines whether that user should be allowed or prevented from the requested function on that particular resource.
A user must be granted access to each specific resource. Resources cannot be masked. IBM defines a special ID called PUBLIC. This ID permits you to make any privilege available to all IDs. All DB2 users can use privileges granted to PUBLIC. DB2 groups privileges into hierarchical authorities. Each authority has its own privileges and also the privileges of any lower authority. There are two special system privileges, CREATEDBA and CREATEDBC. These privileges give you an explicit privilege to create any database, such that CREATEDBA gives you an implicit privilege of DBADM, and CREATEDBC gives you an implicit privilege of DBCTRL.	In CA Top Secret Option for DB2, the concept of ownership through creation of an object is eliminated. Instead, all of the DB2‑related resources are preferably owned by a department and their use is authorized to users with appropriate privileges, and optional access controls, such as time of day, day of week, etc. A single permit can give a user access to a resource in all DB2 subsystems or it can be restricted by the FACILITY control option to a specific DB2 subsystem. Masking of the DB2 resource name can be used to give a user access to multiple DB2 resources with a single PERMIT. CA Top Secret Option for DB2 treats an application plan as a resource that should be protected. Therefore, CA Top Secret Option for DB2 must authorize you to use th e BIND privilege to create a plan and the EXECUTE privilege to use a plan. CA Top Secret Option for DB2 enables you to use views to restrict a user’s access to tables, as well as update only certain columns in a table. For example, in order to permit UPDATE privilege on column ADDRESS to USRJIM, you enter: TSS PER(USRJIM) DB2TABLE(USED.PHONELST.ADDRESS) ACCESS(UPDATE) The CREDBA and CREDBC privileges are treated only as explicit privileges to creating databases. No ownership or implicit authorities apply.

Native DB2
Access Controls

CA Top Secret Option for DB2
Access Controls

DB2 controls access to its resources through the following:

Explicit assignment of privileges
Implicit ownership of resources
Privileges associated with plan execution
Use of views
Use of update privilege to columns

DB2 uses several types of IDs to control access to data:

Primary authorization Ids
Secondary authorization Ids
SQL IDs

CA Top Secret Option for DB2 secures all functions performed on DB2‑related resources through the TSS PERMIT command function. It does not eliminate privileges from DB2; it enhances how you administer these privileges. In place of GRANT and REVOKE statements, CA Top Secret Option for DB2 permits the use of a DB2 resource to a user. CA Top Secret Option for DB2 checks the authorization when a user requests a DB2 resource and determines whether that user should be allowed or prevented from the requested function on that particular resource.

A user must be granted access to each specific resource. Resources cannot be masked.

IBM defines a special ID called PUBLIC. This ID permits you to make any privilege available to all IDs. All DB2 users can use privileges granted to PUBLIC.

DB2 groups privileges into hierarchical authorities. Each authority has its own privileges and also the privileges of any lower authority.

There are two special system privileges, CREATEDBA and CREATEDBC. These privileges give you an explicit privilege to create any database, such that CREATEDBA gives you an implicit privilege of DBADM, and CREATEDBC gives you an implicit privilege of DBCTRL.

In CA Top Secret Option for DB2, the concept of ownership through creation of an object is eliminated. Instead, all of the DB2‑related resources are preferably owned by a department and their use is authorized to users with appropriate privileges, and optional access controls, such as time of day, day of week, etc.

A single permit can give a user access to a resource in all DB2 subsystems or it can be restricted by the FACILITY control option to a specific DB2 subsystem. Masking of the DB2 resource name can be used to give a user access to multiple DB2 resources with a single PERMIT.

CA Top Secret Option for DB2 treats an application plan as a resource that should be protected. Therefore, CA Top Secret Option for DB2 must authorize you to use th e BIND privilege to create a plan and the EXECUTE privilege to use a plan.

CA Top Secret Option for DB2 enables you to use views to restrict a user’s access to tables, as well as update only certain columns in a table. For example, in order to permit UPDATE privilege on column ADDRESS to USRJIM, you enter:

TSS PER(USRJIM)
DB2TABLE(USED.PHONELST.ADDRESS)
ACCESS(UPDATE)

The CREDBA and CREDBC privileges are treated only as explicit privileges to creating databases. No ownership or implicit authorities apply.