Implementation Considerations › Evaluate Who Should Get Access to What

Evaluate Who Should Get Access to What

CA Top Secret Option for DB2 permissions grant access to all DB2 resources, such as databases, tables, and system privileges. Before you can write and implement CA Top Secret Option for DB2 PERMITs, you must be a security administrator or be PERMITted authority through a TSS ADMIN command.

To make your CA Top Secret Option for DB2 permissions as effective as possible, answer these questions before you start writing the PERMITs:

• What are the names of the resources that I want to share?
• With what facility should a DB2 subsystem be associated?
• Should each DB2 subsystem be assigned its own facility or should they be grouped?
• Which users should be able to use system privileges and utilities and under which facility?
• Which ACIDs should own the resources (for example, divisions, departments)

  Note: It is strongly recommended that CA Top Secret ownership of a resource (via the TSS ADD command function) take place on a divisional or departmental level, rather than on an individual user level. Individual users within that department or division can then be granted access to those resources on an as‑needed basis.

• What authorization ids should be used for qualifying DB2 tables?
• Which users should be able to change the PERMITs? Do I want to restrict any of these users?
• Who do I want to share resources with?
• Can I group and mask them?
• Should some users be privileged? Should these users be scoped?
• Should I trace access to a DB2 object? Should I trace a particular user's access to an object? Should I track use of a system privilege or utility?
• For resources that have the same name in multiple DB2 subsystems, should the user have the same privilege in all DB2 subsystems or should the privilege be restricted to specific DB2 subsystems?
• How do I want others to use the data? Should they be restricted in any way (such as to a column or to a certain function)?
• Should I determine certain time periods (shifts) when users can access the data?
• What privileges does DB2 require to access these resources?
• What table (database, and other) functions should users be permitted to access?
• Who will be creating DB2 resource definitions?
• Will users be utilizing static or dynamic SQL (for example, precompiled programs or ad hoc queries)?

After you answer these types of questions, you can begin to construct PERMITs.

We recommend that you use the conversion utility to create a set of general rules. Then you can edit these rules to be more specific. See the “Conversion Utility” chapter for more information about the conversion utility.