What is needed to setup DB2 secondary AUTHIDs with CA-ACF2?
Release: ACF2 R16
Component: ACF2MS
To use secondary authorization IDs with DB2, you can use the CA-ACF2 secondary authid exits and define source group records for the secondary authorization IDs.
* ACF2/DB2 interface is not required to implement secondary authids.
DB2 provides two exits that let you inspect or modify a user's identity to DB2.
These exits supply a list of alternate or "secondary" authorization IDs that DB2 can use in its internal verification routines.
These secondary authorization IDs help reduce some of the security issues surrounding the "cascade effect" a DB2 REVOKE causes.
The two exits are DSN3@ATH and DSN3@SGN.
You must link edit them into the DB2 library. DSN3@ATH is a connection authorization exit that gets control at MUSASS
region startup and during each TSO or batch job access to DB2.
DSN3@SGN is a sign-on exit similar to DSN3@ATH. DSN3@SGN gets control whenever a user in a MUSASS region
requests a DB2 resource.
DB2 invokes these exits to let you to inspect or modify the user's primary authorization ID.
Both exits can provide DB2 with a list of secondary authorization IDs that you can be use for validations in
addition to the primary authorization ID.
The primary authorization ID is usually the LOGONID of the user accessing the system.
CA-ACF2 provides two sample exits that you can use instead of IBM-supplied default exits.
They associate a list of secondary authorization IDs to a LOGONID or primary authorization ID.
They also set the value of the current SQL ID.
These exits, CSECT DSN3@ATH and CSECT DSN3@SGN, reside in members ACF3@ATH and ACF3@SGN,
respectively, of library CAI.CAX1MAC0.
Define Source Groups
To use the CA-ACF2 exit routines at your site, you must define source group records.
Source group records identify secondary authorization IDs.
To determine the secondary ID, the exits provide CA-ACF2 with the DB2 primary authorization ID.
|CA-ACF2 reads CA-ACF2 source group records, prepares a list of secondary authorization IDs, and returns this list to DB2.
You can use entry source group (E-SGP) records or cross-reference source group (XSGP) records to identify the secondary IDs.
However, if you plan to convert to CA-ACF2 for DB2 in the future, be aware that the CA-ACF2 for DB2 conversion utility that translates
DB2 catalog entries into rule entries does not accept X-SGP records.
You must use E-SGP records with the conversion utility.
The following examples show how to define entry source group (E-SGP) records for secondary authorization IDs.
In these examples, LID1, LID2, and LID3 are the LOGONIDs.
The secondary authorization IDs are DB2ID1, DB2ID2, and DB2ID3.
This first example shows how to create source group XREF entries for each secondary ID and relate that to one primary LOGONID.
ACF SET XREF(SGP) INSERT DB2ID1 INCLUDE(LID1) SOURCE INSERT DB2ID2 INCLUDE(LID1) SOURCE INSERT DB2ID3 INCLUDE(LID1) SOURCE
Then, for example purposes only, LID2 is added to the DB2ID2 source group and LID3 is added to the secondary
IDs DB2ID2 and DB2ID3 source groups (to show the use of the CHANGE and INSERT commands)
ACF SET XREF(SGP) CHANGE DB2ID2 INCLUDE(LID2) CHANGE DB2ID2 INCLUDE(LID3) CHANGE DB2ID3 INCLUDE(LID3)
This second example shows how to create E-SGP source group entries for each secondary ID using the same requirements as above.
ACF SET ENTRY(SGP) INSERT DB2ID1 NEWDATA(LID1) INSERT DB2ID2 NEWDATA(LID1) INSERT DB2ID3 NEWDATA(LID1) ACF SET ENTRY(SGP) CHANGE DB2ID1 NEWDATA(LID2) CHANGE DB2ID2 NEWDATA(LID2) CHANGE DB2ID3 NEWDATA(LID3)
The following chart shows the list of secondary authorization IDs that CA-ACF2 passes to DB2 when each logonid connects
to DB2 based on either of the above X-SGP or E-SGP groups:
If the logonid is: | CA-ACF2 passes this list: |
LID1 | DB2ID1 |
DB2ID2 | |
DB2ID3 | |
LID2 | DB2ID1 |
DB2ID2 | |
LID3 | DB2ID1 |
DB2ID3 |
For details on source group XREF records see Cross-Reference Records
For details on source and group entry records see Entry Source and Source Group Records