We are preparing to enable SQL Security in our mainframe. Which is the better route - implement Datacom/DB External Security to have a higher security level over all data, or only implement SQL security?

z/OS

If you have Datacom databases in use that are accessed by COBOL Native-call, Ideal, or other languages in addition to SQL, then it would make sense to implement External Security to provide controls and protection for those databases. If the tables are defined purely using SQL (outside of Datadictionary, for example), and the data is accessed only using SQL and not via DBUTLTY or any other utility, then you could manage the access using SQL Grant functions.

However, as the data still resides within Datacom databases, you would still be exposed by someone who could use DBUTLTY or other Datacom utilities to access the data outside of SQL control. Therefore, External Security would provide better protection for that, too.

If you have not done so, please dive in to the security section of the Datacom documentation to get you started. Setting up External Security is neither a simple nor quick process because the configuration can be as generic or detailed as you desire. For example, it is possible to define a very open and generic security structure that is similar to a normal, unsecured MUF. At the other end, it is possible to define specific user access for every kind of access path to every database table. Of course, the more detailed your definition, the more cumbersome it is to maintain. We recommend a balance of both the maintenance activities and the need for security. In other words, lock down those databases and tables that need to be locked down, and let the rest be more open if the data is not as sensitive.

By setting up access to utilities and administration, you can more easily manage access for all data and metadata access points. 

To help you in this journey, we also have more than 80 Knowledge Base articles dealing with External Security questions. Once you log in to the Broadcom support portal, you can search for "External Security" and select the Datacom product filter to narrow things down.

In addition, you can post questions in the Datacom CADRE community to ask other customers how they have implemented External Security or SQL security similar to your needs. With the documentation, Knowledge Base articles, and the helpful CADRE community, you should be able to determine the best way to secure your important business data and application functions.

As always, please contact Broadcom support for Datacom if you have further questions.