ACF2 DB2 Column Security

book

Article ID: 198513

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

Have a need to restrict users from 2 views I am creating in db2.  The views will be under the high-level db2 prefix of PRR. Only certain users should be allowed access to these. 

Also, have a need to protect the data from being seen by unauthorized programs.   Can this be done?  Only authorized programs could access the view with the protected columns.  Other programs would have no access to those fields.   Is this possible to get at this level?   

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

In DB2, to prevent access to a column in a table, create a view. This view would not include any columns from a table that users shouldn't be able to access. Once the view is created, GRANT SELECT access to the view. In ACF2, the rule line for the view would look like the following:


$key(view.viewname) type(tbl)
UID(*DATAP**********APL0256) SERVICE(SELECT) allow

ACF2 allows column specific actions only to prevent users from updating or referencing certain columns from a table. To do so specify those rules separately from other rule lines. For example, if you want UID(*DATAP**********APL0256) to delete,insert and select from a table but not update columns, use the following rule lines:

UID(*DATAP**********APL0256) SERVICE(DELETE,INSERT,SELECT) allow
UID(*DATAP**********APL0256) SERVICE(UPDATE) COLUMN(VNDR_BD_INDU_TXT,VNDR_PRPSE_CD,VNDR_SRCE_CD) PREVENT

In your case you are looking to prevent users access to parts of the table. The previous lines would not help with that.