Implementation Considerations › Identify Your Operating Environment

Identify Your Operating Environment

To select the most appropriate options and to effectively use CA Top Secret Option for DB2 controls, first identify local conditions that you must consider, such as:

• Local naming conventions
• Existing security mechanisms
• Uniqueness of user identification
• Operating system configuration

Establish Local Naming Conventions

Determine existing (or desired) naming conventions for

• ACIDs for TSO, batch, IMS, CICS, and distributed users who access DB2
• Names of DB2 subsystems
• Names of DB2 resources (such as databases, tables, table spaces, and so on)

Standard naming conventions for ACIDs, DB2 subsystems, and DB2 resources simplify the task of writing CA Top Secret Option for DB2 PERMITs. CA Top Secret Option for DB2 provides an additional method—besides prefixing—for reducing the number of entries that must be made to secure an installation's DB2 resources. This method is masking (sometimes referred to as “patterning”). It can be used to group DB2 resources whose names share similar characteristics. These shared patterns can be used as the operands of the keywords in TSS entries.

CA Top Secret Option for DB2 provides five different masking techniques:

• Floating pattern
• Variable character substitution
• Index substitution
• Fixed position
• ACID substitution

For more information about the five different masking techniques, see the CA Top Secret Command Functions Guide.

Identify Existing Security Mechanisms

Identify all existing security mechanisms such as GRANT and REVOKE statements or security checks built into applications. Decide which ones to replace with CA Top Secret Option for DB2. Before you implement CA Top Secret Option for DB2, you may want to keep current DB2 security mechanisms active. Through the DB2FAC control option, you can activate or deactivate CA Top Secret Option for DB2 security on a subsystem‑by‑subsystem basis.

Note: You can use the conversion utility to analyze your current DB2 security. For more information about the conversion utility, see the “Conversion Utility” appendix.

Evaluate your site's use of the System Authorization Facility (SAF). While DB2 uses SAF to validate your connection to the DB2 subsystem, DB2 does not use SAF to validate access to any of the resources in DB2. CA Top Secret Option for DB2 provides you with a greater degree of control over your DB2 environment. It validates each user's access to each individual resource. You can instruct CA Top Secret Option for DB2 to use the following criteria to make access decisions:

• The name of the resource.
• The type of resource.
• The environment of the request.

These criteria may make use of SAF to validate access to the subsystem unnecessary.

Ensure Uniqueness of User Identifications

Identify all users and any individual or group IDs. Ensure that each system user is positively identified with a unique CA Top Secret ACID and a single password. Ensure that you create appropriate PROFILE ACIDs in place of each secondary authorization ID whenever possible.

Review Operating System Configuration

Ensure that your site has met the following requirements (see the section entitled System Requirements in the “Installation” chapter for DB2 for specific information about each of these requirements):

• DB2 requirements
• CA Top Secret Option for DB2 requirements
• CAIENF requirements