Using RACF with DB2 for z/OS

Objectives
On successful completion of this course, attendees will be able to:

• describe DB2 security
• understand terminology used with DB2 security
• use and structure DB2 security tables
• use primary, secondary, and CURRENT SQLID authorisation IDs used by DB2
• use SQL to control security using the GRANT and REVOKE statements
• describe the meaning of explicit, implicit, composite and grouped privileges
• explain ownership considerations with regard to DB2 objects
• control DB2 address space and data set authorisation using RACF
• use RACF to control access to DB2 objects
• describe the new RACF classes for DB2 objects
• create RACF profiles for DB2 objects
• describe the migration tools to assist in migrating DB2 security into RACF
• understand the additional considerations when using DB2 in a distributed environment.

Who Should Attend
All DB2 or RACF security administrators wishing to gain further insight into controlling DB2 security using RACF.
Prerequisites
A working knowledge of RACF and an understandung id DB2 at a conceptual & terminological level.
Duration
1 day

Course Code
DSR
Contents
Introduction
Security overview; Sign-on security; Connection security; DB2 internal security; Other options; Security strategy (Transaction Manager or DB2); Security strategy (centralised or decentralised); Using remote applications.


Internal DB2 security
DB2 security; DB2 security mechanism; DB2 security tables; Security terms; Authorisation ID; Privilege; Resource; Primary and Secondary Authorisation IDs; Maintaining security; Data Control Language; Grouped privileges; Explicit & implicit privileges; Ownership considerations; Static and Dynamic SQL; Static SQL considerations; Dynamic SQL considerations; DB2 security disadvantages.


Data Control Language & Privileges
SQL GRANT and REVOKE statements; Cascading REVOKE; Package, plan & collection privileges; Database, table, & view privileges; Other object privileges; System privileges; Example 1 - application development; Example 2 - Bind; Example 3 - program execution; Insufficient authority.


DB2 Security Reporting and Auditing
DB2 catalog security tables; Common table columns; SYSIBM.SYSCOLAUTH; SYSIBM.SYSDBAUTH; SYSIBM.SYSPACKAUTH / SYSIBM.SYSPLANAUTH; SYSIBM.SYSRESAUTH; SYSIBM.SYSROUTINEAUTH; SYSIBM.SYSSCHEMAAUTH; SYSIBM.SYSSEQUENCEAUTH; SYSIBM.SYSTABAUTH; SYSIBM.SYSUSERAUTH; Auditing tables; Audit trace.


RACF Security Overview
What is RACF?; Identifying and verifying users; Checking authorisations; Recording and reporting; Terminology - users and groups; Terminology - resources and classes; Terminology - profiles; User profile; Resource Profile; Discrete and generic profiles; Creating Generic Profiles; Maintaining RACF Security.


Defining the DB2 Subsystem to RACF
Address space authorisation; Protected access profiles; RACF router table; DB2 address spaces; Permitting RACF access; Protecting DB2 data sets - create profiles; Protecting DB2 data sets - permitting access.


Defining DB2 Objects to RACF
Native DB2 security; DB2 with RACF; RACF / DB2 external security module; Installation; Mapping DB2 authorisation checks; Scope of RACF classes; Multi-subsystem scope classes; Single subsystem scope classes; Customisation; DB2 objects and RACF classes; Profiles; Privileges - buffer pools, storage groups & tablespaces; Privileges - DB2 system; Privileges - database and schema; Privileges - tables, views, indexes and user-defined functions; Privileges - collection, plan and package; Privileges - distinct types, sequences and stored procedures; Privileges - administrative authorities; Insufficient authority; Migration tools.


Multi-Level Security
Multi-level security overview; Security labels; Row level granularity; Multi-level security and SELECT; Multi-level security and INSERT; Multi-level security and UPDATE; Multi-level security and DELETE; Multi-level security and utilities.


Distributed Data Considerations
Distributed Data overview; DDF components; Communications tables; Security actions (client); Security actions (server with SNA client); Security actions (server with TCP/IP client).