ACF2 DB2 table column Security

book

Article ID: 197841

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

Have a need to restrict users from 2 views creating in db2.  The views will be under the high-level db2 prefix of PRR.     Only certain users should be allowed access to these. 

Also, have a need to protect the data from being seen by unauthorized programs.   Can this be done?  Only authorized programs could access the view with the protected columns.  Other programs would have no access to those fields.   Is this possible to get at this level?   

Looking for options to limit access to selected individuals in selected columns.

Environment

Release : 16.0

Component : CA ACF2 Option for Db2

Resolution

Resource rules for DB2 are written the same as any other resource. First, you need to define the resource to the infodir. For tables and views that is 'R-DTBL'. Once you have that defined and refresh the INFODIR record you can begin writing rules.

For example, the following SQL GRANT statement for system DSNP to allow user PAYCLK to update column SALARY and EXEMPTION :

Grant Insert/update/select/delete(vndr_bd_indu_txt, vndr_prpse_cd, vndr_srce_cd) ON TABLE PERSONEL.PAYROLL TO PAYCLK
 
Would be equivalent to the ACF rule:
$KEY(PERSONEL.PAYROLL) TYPE(TBL)
$SYSID(DSNP)
UID(***PAYCLK) SERVICE(INSERT,UPDATE,SELECT,DELETE) COLUMN(VNDR_BD_INDU_TXT, VNDR_PRPSE_CD, VNDR_SRCE_CD) LOG
 

The SYSID would be subject to the system where this is running, DSNP was just an example. The log at the end is the permission type to give a user, available values are: allow, log, and prevent. Will also need rules to prevent users from those columns and allow users access to the rest of the table. Something on the lines of:

UID(-) SERVICE(INSERT,UPDATE,SELECT,DELETE) COLUMN(VNDR_BD_INDU_TXT, VNDR_PRPSE_CD, VNDR_SRCE_CD) prevent
uid(-) SERVICE(INSERT,UPDATE,SELECT,DELETE) allow

The same naming structure applies to views.