One obvious decision to be made up front is who is going to administer
DB2 security, which could be more of political decision than a technical
one. It would probably be unusual for DB2 Administrators to also be the
ones doing primary RACF administration, so if you change all of the DB2
security to use RACF profiles with RACF groups as the controlling points
for functional access to DB2 grants, you might not necessarily want to
shift responsibility for defining the groups and grant structure away
from DB2 Administrators, who might be the only ones in a position to
understand what Grants are appropriate.
It is possible to allow a DB2 Administrator authority to create and
manage RACF profiles only within specific RACF classes-- e.g., those
controlling DB2 security. It would even be possible to give that DB2
Administrator Group Special control over a RACF group that will then be
used to "own" all the DB2-related functional RACF groups, which would
give the DB2 Administrator the power to create/remove new "owned" groups
(with some naming convention essential to avoid potential interference
with dataset HLQ groups and other groups unrelated to DB2) and to
connect/remove users from those groups. If the functions of the groups
are well documented, routine assignment of users to those groups might
be a task that should be given to regular RACF Administrators even if
the RACF functional groups and grants are set up by DB2 Administrators.
Joel C Ewing
On 07/07/2012 10:00 AM, Bernd Oppolzer wrote:
I believe, the very short answer to this is:
you give the DB2 GRANTs to RACF groups instead of individual users,
and then you use RACF to do the administration of the RACF groups,
that is: if anyone needs some DB2 rights, you make him or her a member
of the proper RACF group.
You need a naming convention to know what DB2 rights are contained
in what RACF group. Maybe you could pack all tables that belong to an
"application" or a "system" in one RACF group and make the name of the
RACF group
the name of the application or the system. Or: one RACF group for all
the tables
in your DB2 test or development system etc.
Kind regards
Bernd
Am 07.07.2012 15:06, schrieb Mohamed Juma:
Hi list,
I have a conser about using RACF to secure the access to our data base
for users and administration instead of using
internal security.
Can any one give me clue for such implementation;
Mohamed Juma
...
--
Joel C. Ewing, Bentonville, AR [email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
