ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WHY TSSDB2 1.3 IS NOT PROTECTING DB2 RESOURCES?

book

Article ID: 49561

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

Upgrading to TSSDB2 1.3, DB2 resources are no longer protected.

So a user can delete/add a row in a DB2TABLE with a select access.

Solution:

This problem arisen with TSS DB2 1.3 and was not visible with TSS DB2 1.2 because to be compliant with DB2 9.1 and above, there is additional check made by the TSSDB2 against new DB2SYS privilege: DATAACCESS.

Like the DB2SYS resource didn't have the DEFPROT attribute, TSSDB2 returned an RC 04 which allowed the user to access to the table instead of denying the access like with previous TSSDB2 release.

If the DEFPROT attribute was set then TSSDB2 would return RC 08 and access would be denied like previously and it would have been transparent.

Some DB2 resource classes in the RDT have NOT the DEFPROT attribute.

You MUST run the DB13RDT job of the CADBJCL0 library.

Here is an example:

//DB13RDT   JOB                                                            
//*********************************************************************    
//*         CA TOP SECRET OPTION FOR DB2 1.3                          *    
//*         COPYRIGHT (C) 2010, CA, INC.                              *    
//*                                                                   *    
//*         MEMBER:    DB13RDT                                        *    
//*         FUNCTION:  TURN ON DEFAULT PROTECTION FOR DB2 RESOURCES   *    
//*********************************************************************   
//DB13RDT EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=2048K                      
//SYSTSPRT  DD SYSOUT=*                                                   
//SYSTSIN   DD *                                                          
TSS REPLACE(RDT) RESCLASS(DB2BUFFP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2COLL)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2DBASE) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2FUNC)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PKG)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PLAN)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PROC)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SCHMA) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2STOGP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SYS)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TABLE) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TABSP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TYPE)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2JAR)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SEQ)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TRCON) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2ROLE)  ATTR(DEFPROT)                         
//

Environment

Release:
Component: AWAGNT