DOCSLIB.ORG

Db2 12 for Z/OS: Managing Security Chapter 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Db2 12 for Z/OS: Managing Security Chapter 1 Db2 12 for z/OS Managing Security IBM SC27-8854-02 Notes Before using this information and the product it supports, be sure to read the general information under "Notices" at the end of this information. Subsequent editions of this PDF will not be delivered in IBM Publications Center. Always download the latest edition from PDF format manuals for Db2 12 for z/OS (Db2 for z/OS in IBM Documentation). 2021-09-10 edition This edition applies to Db2® 12 for z/OS® (product number 5650-DB2), Db2 12 for z/OS Value Unit Edition (product number 5770-AF3), and to any subsequent releases until otherwise indicated in new editions. Make sure you are using the correct edition for the level of the product. Specific changes are indicated by a vertical bar to the left of a change. A vertical bar to the left of a figure caption indicates that the figure has changed. Editorial changes that have no technical significance are not noted. © Copyright International Business Machines Corporation 1982, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this information.......................................................................................... ix Who should read this information................................................................................................................x Db2 Utilities Suite for z/OS...........................................................................................................................x Terminology and citations............................................................................................................................x Accessibility features for Db2 12 for z/OS..................................................................................................xi How to send your comments about Db2 for z/OS documentation............................................................ xi How to read syntax diagrams.....................................................................................................................xii Chapter 1. Getting started with Db2 security.......................................................... 1 Db2 security solutions................................................................................................................................. 1 Db2 data access control.............................................................................................................................. 1 ID-based access control within Db2......................................................................................................2 Role-based access control within Db2.................................................................................................. 3 Ownership-based access control within Db2........................................................................................3 Access control through multilevel security............................................................................................4 Access control external to Db2.............................................................................................................. 4 Db2 subsystem access control....................................................................................................................4 Managing access requests from local applications...............................................................................5 Managing access requests from remote applications...........................................................................5 Data set protection.......................................................................................................................................6 Scenario: Securing data access with Db2 facilities at Spiffy Computer.....................................................6 Determining security objectives.............................................................................................................7 Securing manager access to employee data......................................................................................... 7 Securing access to payroll operations and management................................................................... 11 Managing access privileges of other authorities................................................................................. 15 Chapter 2. Managing access through authorization IDs and roles.......................... 19 Authorization IDs and roles.......................................................................................................................21 Authorization IDs..................................................................................................................................21 Roles in a trusted context.................................................................................................................... 22 Privileges and authorities.......................................................................................................................... 23 Explicit privileges................................................................................................................................. 23 Implicit privileges through object ownership......................................................................................29 Administrative authorities....................................................................................................................31 Common Db2 administrative authorities.............................................................................................42 Utility authorities for Db2 catalog and directory................................................................................. 43 Privileges by authorization ID and authority....................................................................................... 44 Managing administrative authorities.........................................................................................................53 Separating the SYSADM authority........................................................................................................53 Migrating the SYSADM authority..........................................................................................................56 Creating roles or trusted contexts with the SECADM authority.......................................................... 59 Altering tables with the system DBADM authority.............................................................................. 60 Accessing data with the DATAACCESS authority.................................................................................60 Granting and revoking privileges with the ACCESSCTRL authority.....................................................61 Managing explicit privileges...................................................................................................................... 62 Granting privileges to a role................................................................................................................. 62 Granting privileges to the PUBLIC ID...................................................................................................63 Granting privileges to remote users.....................................................................................................64 Granting privileges through views....................................................................................................... 64 Granting privileges through administrative authorities.......................................................................65 iii Granting privileges with the GRANT statement...................................................................................65 Revoking privileges with the REVOKE statement................................................................................70 Managing implicit privileges...................................................................................................................... 79 Managing implicit privileges through object ownership......................................................................80 Managing implicit privileges through plan or package ownership......................................................82 Managing implicit privileges through routines.................................................................................... 90 Retrieving privilege records in the Db2 catalog......................................................................................103 Catalog tables with privilege records................................................................................................ 103 Retrieving all authorization IDs or roles with granted privileges......................................................104 Retrieving multiple grants of the same privilege...............................................................................105 Retrieving all authorization IDs or roles with the DBADM and system DBADM authorities............ 105 Retrieving all IDs or roles with access to the same table................................................................. 106 Retrieving all IDs or roles with access to the same routine..............................................................107 Retrieving plans or packages with access to the same table........................................................... 107 Retrieving privilege information through views.................................................................................108
Load more

Recommended publications
  • Cloud Enabling CICS
    Front cover Cloud Enabling IBM CICS Discover how to quickly cloud enable a traditional IBM 3270-COBOL-VSAM application Use CICS Explorer to develop and deploy a multi-versioned application Understand the benefits of threshold policy Rufus Credle Isabel Arnold Andrew Bates Michael Baylis Pradeep Gohil Christopher Hodgins Daniel Millwood Ian J Mitchell Catherine Moxey Geoffrey Pirie Inderpal Singh Stewart Smith Matthew Webster ibm.com/redbooks International Technical Support Organization Cloud Enabling IBM CICS December 2014 SG24-8114-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (December 2014) This edition applies to CICS Transaction Server for z/OS version 5.1, 3270-COBOL-VSAM application. © Copyright International Business Machines Corporation 2014. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii IBM Redbooks promotions . ix Preface . xi Authors. xii Now you can become a published author, too! . .xv Comments welcome. .xv Stay connected to IBM Redbooks . xvi Part 1. Introduction . 1 Chapter 1. Cloud enabling your CICS TS applications . 3 1.1 Did you know?. 4 1.2 Business value . 4 1.3 Solution overview . 5 1.4 Cloud computing in a CICS TS context. 6 1.5 Overview of the cloud-enabling technologies in CICS TS V5 . 11 1.5.1 Platform overview . 12 1.5.2 Application overview . 13 Chapter 2. GENAPP introduction. 15 2.1 CICS TS topology . 16 2.2 Application architecture. 17 2.2.1 GENAPP in a single managed region.
    [Show full text]
  • Revised Naming for IBM Db2 Family Products
    IBM United States Software Announcement 217-363, dated July 18, 2017 Revised naming for IBM Db2 family products Table of contents 1 Overview 4 Ordering information 3 Planned availability date 4 Terms and conditions 3 Program number 5 Prices Overview IBM(R) Db2 is the database of choice for enterprise-wide solutions because it offers extreme performance, flexibility, scalability, and reliability for any size organization. IBM is organizing around the Db2 brand and, as a result, there will be name changes to all of the Db2 offerings. The dashDBTM family will now be renamed to Db2 and DB2(R) will now be referred to as Db2. The program numbers, part numbers, terms and conditions, and pricing will remain the same. The program names, service descriptions, and license information documents are updated to reflect the new names. The part number descriptions are updated to reflect the changes to the program names embedded in the descriptions. You do not need to make any changes to your systems and our offerings will contain the same technology with new names. The following table maps the program numbers from their prior names to their new names: Program number Prior program New program Effective date name name 5725-W92 IBM DB2 on Cloud IBM Db2 Hosted July 18, 2017 5725-U38 IBM dashDB for IBM Db2 July 18, 2017 Analytics Warehouse on Cloud 5725-U32 IBM Bluemix(R) IBM Bluemix July 18, 2017 Dedicated Data Dedicated Data Repositories Repositories 5737-C74 IBM dashDB IBM Db2 on Cloud July 18, 2017 Enterprise for Transactions SaaS 5724-M15 DB2 ConnectTM
    [Show full text]
  • 13347 CICS Introduction and Overview
    CICS Introduction and Overview Ezriel Gross Circle Software Incorporated August 13th, 2013 (Tue) 4:30pm – 5:30pm Session 13347 Agenda What is CICS and Who Uses It Pseudo Conversational Programming CICS Application Services CICS Connectivity CICS Resource Definitions CICS Supplied Transactions CICS Web Services CICS The Product What is CICS? CICS is an online transaction processing system. Middleware between the operating system and business applications. Manages the user interface. Retrieves and modifies data. Handles the communication. CICS Customers Banks Mortgage Account Reconciliations Payroll Brokerage Houses Stock Trading Trade Clearing Human Resources Insurance Companies Policy Administration Accounts Receivables Claims Processing Batch Versus Online Programs The two ways to process input are batch and online. Batch requests are saved then processed sequentially. After all requests are processed the results are transmitted. Used for order entry processing such as warehouse applications. Online requests are received randomly and processed immediately. Results are transmitted as soon as they are available. Response time tends to be sub-second. Used for applications – such as: Credit Card Authorization. Transaction Processing Requirements Large volume of business transactions to be rapidly and accurately processed Multiple users, single/sysplex or distributed With potentially: – A huge number of users – Simultaneous access to data – A large volume of data residing in multiple database types – Intense security and data integrity controls necessary The access to the data is such that: – Each user has the perception of being the sole user of the system – A set of changes is guaranteed to be logically consistent. If a failure occurs, any intermediate results are undone before the system becomes available again – A completed set of changes is immediately visible to other users A Business Transaction A transaction has a 4-character id.
    [Show full text]
  • Part 2 the Next Generation Iseries... Simplicity in an on Demand World
    IBM eServerJ iSeriesJ GP03 Technical Overview - Part 2 The Next Generation iSeries... Simplicity in an On Demand World January, May 2003 Announcements © 2000-2003 IBM Corporation IBM eServer iSeries The Customer Challenge: Solving the Cost3 Equation 2. Cost of Ongoing Operations ... Ongoing cost of skills to deploy and manage solutions © 2000-2003 IBM Corporation IBM eServer iSeries Enterprise IT management Made Simple OS/400 V5R2 Highlights Performance at your fingertips Flexible Capacity Upgrade on Demand i825, i870 and i890 Dynamic logical partitioning for award-winning 64-bit Linux7 Intuitive iSeries Navigator workload management tools Adaptive storage virtualization for high availability Mainframe-class functionality with switched disk cluster management Self-optimizing, multiple IBM DB27 UDB images for business unit consolidation Extensive Windows server management now supports Microsoft7 Cluster Service Flexible, secure management of e-business infrastructure Industry's first IBM Autonomous Computing Initiative inspired Enterprise Identity Mapping facilitates true single signon High performance Apache Web serving with secure sockets and caching accelerators Simple and pervasive operations with wireless-optimized Web-ready micro-drivers © 2000-2003 IBM Corporation IBM eServer iSeries Notes: Enterprise IT Management Made Simple OS/400 V5R2 builds on the mainframe-class management functions of OS/400 V5R1, such as dynamic logical partitioning with built-in graphical management tools such as iSeries Navigator. OS/400 V5R2 continues to focus on enterprise-class management tools with new self-managing technologies from IBM's Autonomic Computing project. V5R2 also extends many of the virtualization technologies available on the iSeries, to further assist clustering and business continuity solutions. For example, switched disk cluster services are extended with V5R2 to support database objects.
    [Show full text]
  • Introduction-To-Mainframes.Pdf
    Mainframe The term ‘MainFrame’ brings to mind a giant room of electronic parts that is a computer, referring to the original CPU cabinet in a computer of the mid-1960’s. Today, Mainframe refers to a class of ultra-reliable large and medium-scale servers designed for carrier-class and enterprise-class systems operations. Mainframes are costly, due to the support of symmetric multiprocessing (SMP) and dozens of central processors existing within in a single system. Mainframes are highly scalable. Through the addition of clusters, high-speed caches and volumes of memory, they connect to terabyte holding data subsystems. Mainframe computer Mainframe is a very large and expensive computer capable of supporting hundreds, or even thousands, of users simultaneously. In the hierarchy that starts with a simple microprocessor at the bottom and moves to supercomputers at the top, mainframes are just below supercomputers. In some ways, mainframes are more powerful than supercomputers because they support more simultaneous programs. But supercomputers can execute a single program faster than a mainframe. The distinction between small mainframes and minicomputers is vague, depending really on how the manufacturer wants to market its machines. Modern mainframe computers have abilities not so much defined by their single task computational speed (usually defined as MIPS — Millions of Instructions Per Second) as by their redundant internal engineering and resulting high reliability and security, extensive input-output facilities, strict backward compatibility with older software, and high utilization rates to support massive throughput. These machines often run for years without interruption, with repairs and hardware upgrades taking place during normal operation.
    [Show full text]
  • CICS Transaction Server for OS/390 Installation Guide
    CICS® Transaction Server for OS/390® Installation Guide Release 3 GC33-1681-30 CICS® Transaction Server for OS/390® Installation Guide Release 3 GC33-1681-30 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Third edition (June 1999) This edition applies to Release 3 of CICS Transaction Server for OS/390, program number 5655-147, and to all subsequent versions, releases, and modifications until otherwise indicated in new editions. Make sure you are using the correct edition for the level of the product. This edition replaces and makes obsolete the previous edition, SC33-1681-00. The technical changes for this edition are summarized under ″Summary of changes″ and are indicated by a vertical bar to the left of a change. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address given below. At the back of this publication is a page entitled “Sending your comments to IBM”. If you want to make comments, but the methods described are not available to you, please address them to: IBM United Kingdom Laboratories, Information Development, Mail Point 095, Hursley Park, Winchester, Hampshire, England, SO21 2JN. When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. © Copyright International Business Machines Corporation 1989, 1999. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    [Show full text]
  • CA Datacom CICS Services Best Practices Guide
    CA Datacom® CICS Services Best Practices Guide Version 14.02 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
    [Show full text]
  • Enterprise PL/I for Z/OS V5.3 Compiler and Runtime Migration Guide Part 1
    Enterprise PL/I for z/OS Version 5 Release 3 Compiler and Run-Time Migration Guide IBM GC27-8930-02 Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page 181. Third Edition (September 2019) This edition applies to Version 5 Release 3 of Enterprise PL/I for z/OS, 5655-PL5, and to any subsequent releases until otherwise indicated in new editions or technical newsletters. Make sure you are using the correct edition for the level of the product. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address below. A form for readers' comments is provided at the back of this publication. If the form has been removed, address your comments to: IBM Corporation, Department H150/090 555 Bailey Ave San Jose, CA, 95141-1099 United States of America When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Because IBM® Enterprise PL/I for z/OS® supports the continuous delivery (CD) model and publications are updated to document the features delivered under the CD model, it is a good idea to check for updates once every three months. © Copyright International Business Machines Corporation 1999, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Tables.................................................................................................................. xi Figures............................................................................................................... xiii About this book....................................................................................................xv Using your documentation........................................................................................................................
    [Show full text]
  • IBM Db2 11.5 Delivers Enhancements to Help Automate Data Management, Eliminate ETL, and Support Artificial Intelligence Data Workloads
    IBM Japan Software Announcement JP19-0637, dated October 29, 2019 Revised information: IBM Db2 11.5 delivers enhancements to help automate data management, eliminate ETL, and support artificial intelligence data workloads Table of contents 1 Overview 9 Publications 2 Key requirements 9 Technical information 2 Planned availability date 9 Ordering information 2 Description 10 Terms and conditions 8 Program number 10 Prices At a glance IBM(R) Db2(R) 11.5 offers database efficiency, simplicity, and reliability in the form of new features and enhancements that address a variety of business requirements, offering robust enterprise security features, simplified installation and deployment, improved usability and adoption, a streamlined upgrade process, enhancements to large databases, and improvements to BLU Acceleration(R): • Three editions are now available: IBM Db2 Community Edition, IBM Db2 Standard Edition, and IBM Db2 Advanced Edition. All three editions provide unrestricted access to the full feature set of IBM Db2. • IBM Db2 Advanced Recovery Feature is available with all three editions (Db2 Community Edition, Db2 Standard Edition, and Db2 Advanced Edition). This feature consists of advanced database backup, recovery, and data extraction tools that can help you improve data availability, mitigate risk, and accelerate crucial administrative tasks when time is limited. Overview This announcement supersedes the previous Software Announcement JP19-0260, dated June 4, 2019. The IBM Db2 family of hybrid data management solutions is built on an intelligent Common SQL Engine that is designed for scalability and flexibility and to run on premises, and any private and public cloud. IBM Db2 11.5 is available through three editions: • Db2 Community Edition • Db2 Standard Edition • Db2 Advanced Edition All three editions provide unrestricted access to the full feature set of IBM Db2.
    [Show full text]
  • CICS System Services
    CICS System Services Mainframe CICS System Services July 2021 Rate Description Rate FY22/FY23 Debit Code CICS zIIP $0.1780/CICS Unit 5 CICS zIIP $0.1780/CICS Unit 6 All OCIO rates can be found at: https://cio.nebraska.gov/financial/serv-rates.html General Overview Customer Information Control System or CICS System Services provide an interactive transaction-based processing environment to host business applications that are reliable, scalable, and secure. CICS features include: • Ability to process a high volume of transactions. • Ability to efficiently support event processing, dynamic scripting, web browser (HTML), and 3270 presentation of data. • Ability to access multiple types of data structures, such as relational databases, hierarchical databases (IMS), and VSAM data sets. • Ability to support other application features such as; report printing, document imaging, application help functionality, and other z/OS automation capabilities. Service Details The service includes: • 24/7 CICS application and business event hosting with traditional 3270 and web browser presentation. • z/OS Enterprise mainframe security and protection for CICS application software, application data, and user security. • 24/7 Service Desk support. This includes ‘incident troubleshooting’ for CICS application environments. • Complete CICS application data backup and recovery services. • Complete CICS application disaster recovery facilities and services provided. Office of the CIO/ Mainframe CICS System Services | Contact: CIO Service Desk: 402.471.4636 or 800.982.2468 1 CICS System Services • z/OS System automation available for unique CICS application mainframe requirements. • CICS automated services to coordinate application “On-line” and “Batch” processes. • Automated software to generate CICS maps. • Automated software to assist applications with reporting (style sheets).
    [Show full text]
  • Appendix A: Current Environment Overview the Following Subsections Provide an Overview of the Current Technical Environment
    1 Appendix A: Current Environment Overview The following subsections provide an overview of the current technical environment. N-FOCUS – Nebraska’s Legacy Integrated Health and Human Services and Benefits Application Nebraska Family Online Client User System (N-FOCUS) is an integrated system that automates benefit/service delivery and case management for more than 30 DHHS programs, including Aid to Dependent Children (ADC), Supplemental Nutrition Assistance Program (SNAP), Child Welfare and Medicaid. The system was initially developed in partnership with Accenture as the prime Systems Integrator. N-FOCUS functions include client/case intake, eligibility determination, case management, service authorization, benefit payments, claims processing and payments, provider contract management, interfacing with other private, state and federal organizations, and management and government reporting. N-FOCUS was implemented in production in mid-1996 and is operational statewide. The typical N-FOCUS user is a DHHS or contracted employee. N-FOCUS supports over 2500 workers, operating from offices around the State as well as from 4 customer service centers and a centralized scanning facility. Some cases are assigned to specific workers; however, the majority of cases are managed via a universal caseload methodology coordinated by the customer service centers. N-FOCUS has both batch and online components and stores data in Db2 and SQL Server. The Db2 database has over 650 tables, some with a corresponding archive table. There are over 785 relationships between tables, 1278 indexes, and over 9665 attributes. There are over 1.7 billion rows of production data with over 193 million rows in one table with an average table size of 3.2 million rows.
    [Show full text]
  • IBM Db2 on Cloud Solution Brief
    Hybrid Data Management IBM Db2 on Cloud A fully-managed, relational database on IBM Cloud and Amazon Web Services with elastic scaling and autonomous failover 1 IBM® Db2® on Cloud is a fully-managed, SQL cloud database that can be provisioned on IBM Cloud™ and Amazon Web Services, eliminating the time and expense of hardware set up, software installation, and general maintenance. Db2 on Cloud provides seamless compatibility, integration, and licensing with the greater Db2 family, making your data highly portable and extremely flexible. Through the Db2 offering ecosystem, businesses are able to desegregate systems of record and gain true analytical insight regardless of data source or type. Db2 on Cloud and the greater Db2 family support hybrid, multicloud architectures, providing access to intelligent analytics at the data source, insights across the business, and flexibility to support changing workloads and consumptions cases. Whether you’re looking to build cloud-native applications, transition to a fully-managed instance of Db2, or offload certain workloads for disaster recovery, Db2 on Cloud provides the flexibility and agility needed to run fast queries and support enterprise-grade applications. Features and benefits of Db2 on Cloud Security and disaster recovery Cloud databases must provide technology to secure applications and run on a platform that provides functional, infrastructure, operational, network, and physical security. IBM Db2 on Cloud accomplishes this by encrypting data both at rest and in flight, so that data is better protected across its lifecycle. IBM Db2 on Cloud helps restrict data use to only approved parties with user authentication for platform services and resource access control.
    [Show full text]