Protecting Resources › DB2 Resource Protection

DB2 Resource Protection

All the DB2 resources have full scope checking and administrative authority support. This eliminates the need for secondary authorization IDs and the cascading revoke problems. The benefits of CA Top Secret for DB2 are:

• The DB2 resources are easily administered with the same TSS command or the administration panels used in CA Top Secret.
• In CA Top Secret for DB2, the concept of ownership through the creation of an object is eliminated. Instead, all of the DB2‑related resources are preferably owned by a department and their use is authorized to users with appropriate privileges.
• With CA Top Secret for DB2 you do not need secondary authorization IDs. In fact, they can obscure the lines of individual accountability.
• The elimination of the cascading REVOKE effect makes secondary authorization IDs somewhat unnecessary. Due to this elimination, it is easier for CA Top Secret administrators to control and manage these DB2‑related resources and authorities.
• Support and security exist for all categories of DB2 privileges and authorities. Because the SYSADM authority has complete control over most DB2 resources, you should carefully limit and monitor its use just as you would an MSCA.
• There are discrete checks with unique class names identifying the type of function secured.
• Specific class names permit matching of relationships with existing DB2 controls.
• Access levels are supported as applicable to each function.
• All auditing and violation activity within DB2 is recorded to SMF and/or the Audit/Tracking File. All current facilities for reporting, including the online TSSTRACK reporting utility, are supported.
• The Catalog Synchronization Utility provides the ability to bring DB2 catalog entries up‑to‑date with CA Top Secret for DB2.

The DB2 resources include:

DB2BUFF     DB2PLAN      DB2SYS
DB2COLL     DB2TABLE     DB2TABSP
DB2PKG      DB2BASE      DB2STOGP

DB2 Resource Ownership

To establish ownership, use TSS CREATE/ADDTO.

Example: establish DB2 resource ownership

This example adds and permits a DB2 resource:

TSS ADDTO(ENGDEPT) DB2PLAN(SR19052P)

TSS PERMIT(USRMIKE) DB2PLAN(SR19052P)  
                    ACCESS(BIND)

DB2 Resource Ownership Removal

To remove ownership of a DB2 resource

1. Revoke all permissions for the resource. You cannot specify an access level.
2. Remove the ownership of the DB2 resource.

Example: remove DB2 resource ownership

This example removes ownership of a DB2 resource:

TSS REVOKE(USRMIKE) DB2PLAN(SR19052P)
TSS REMOVE(ENGDEPT) DB2PLAN(SR19052P)