RACF for DB2 Security: The Benefits & Considerations from DB2 Security to RACF Security One or...

RACF for DB2 Security:

The Benefits & Considerations

Presented by

Vanguard Integrity Professionals

Copyright

©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited license to view these materials for your organization’s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.

Trademarks

IBM, RACF, DB2, and z/OS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Java is a registered trademark of Oracle and/or its affiliates. Vanguard Administrator and Vanguard Advisor are trademarks of Vanguard Integrity Professionals – Nevada.

Legal Notice

©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 2

Session Topics

This part of the session discusses the post migration benefits. 3

Post Migration

2

Migration Overview

This part of the session discusses the migration from DB2 Security to RACF Security.

1

Key Benefits

This part of the session discusses the benefits of using IBM®RACF® for IBM®DB2® Security.

3 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited


reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.

RACF FOR DB2 SECURITY:

THE BENEFITS & CONSIDERATIONS

Key Benefits




Key Migration Benefits

Seperation of Duties

Migration to RACF ensures security is managed by RACF

administrators versus Database Administrators to ensure separation of

duty.

Risk Reduction

Migration to RACF reduces operational risk as security is managed

within RACF and reduces cost as no additional tools are needed to manage

security within DB2.

Compliance

Migration to RACF streamlines and

improves your audit and compliance processes as

you will be able to leverage your Vanguard

tools investment .

Security

Migration to RACF improves your overall

security posture as you now have visbility

through your existing Vanguard tools into the

security of DB2.

1 2 3 4

Centralized Mainframe Security Management for DB2 in RACF






Migration Overview




Migrating from DB2 Security to RACF Security

One or several sets of general resource classes

A single profile can protect multiple objects via generics, RACFVARS, group class profiles

Phased implementation by DB2 subsystem, object type, and object

DB2





• Download the RACFDB2 utility via WWW or FTP

• Users running the tool must have SELECT privilege on the SYSIBM.SYSxxxAUTH tables

• Specify values when invoking the tool for:

– Owner for profiles

– DB2 subsystem name

– Class name root

– Single subsystem or multi-subsystem

– Last character of class name





• RACF commands are generated for 9 of the 15 DB2 Object types, and DB2 Authorities

• Not all DB2 Object types are handled:

– Java Archive files (JARs)

– Schemas

– Sequences

– Stored Procedures

– User Defined Distinct Types

– User Defined Functions





• Discrete profile RDEFINE commands for all objects, privileges and authorities

• UACC is set to READ for objects granted to PUBLIC

• AUDIT(ALL(READ)) is set for DB2 administrative authorities

• PERMIT RESET command is generated for each profile defined

• PERMIT with ACCESS(ALTER) if authorized ‘WITH GRANT’ option

• PERMIT with ACCESS(READ) if authorized without GRANT option

• PERMIT commands are generated for all GRANT statements, including users with SYSADM

• PERMIT commands are generated for all GRANT statements on tables for the table owner

• All RDEFINE commands are for profiles in the member classes




RACFDB2 Generated Commands

• Edit the generated commands – Remove or modify unnecessary commands

• Consider replacing many of the discrete profiles! – Use generic profiles? – Use some grouping profiles?

– Use RACFVARS variables for privilege qualifiers? • Define RACF classes for DB2 if using Single-

Subsystem Scope • Enable Generic profiles for the RACF classes to be

used for DB2

• Activate the DB2 general resource classes

• Execute the generated RACF commands

11





• Differences between (internal) DB2 and RACF security (See DB2 for z/OS RACF Access Control Module Guide, Chapter 10. Special Considerations )

– Materialized query tables

– PUBLIC* (DB2 V9)

– Authorization for implicitly created databases

– Authorization checking for operations on views

– Implicit privileges of ownership

– Matching schema names – ALTER and DROP Index

– CREATETMTAB, CREATE VIEW, & CREATE ALIAS privileges

– “Any table” and “any schema” privileges

– GRANT statements

– . . .





• Software, applications, tools that use the security tables in DB2 catalog?






Post Migration Benefits





Use the same skills for DB2 resources that you use for other RACF resources.

Leverage your investments in RACF and Vanguard solutions to manage your DB2 resources.

Visbility into new exposures to sometimes hidden access controls.

• Leverage existing Activity and Violation Reports

• Extend Role Based Access Control (RBAC) to DB2.

• Clean up of obsolete users and groups in DB2 permissions.





16

List all the tables that JIMM owns in the DB9G subsystem





18

Who has SYSADM authority in the DB9G subsystem





19

“S” to show the access list





20

“S” to show who is connected to the OPER group





22

I want to see which Packages user CLARKG can execute in DB9G





25

I want to delete user KEMMERT and insure all his DB2 accesses

Are removed





28

I want to see any DB2 violations that have occurred today from the current

“MAN” file





31

“S” to drill down to the detail





32

“S” to display the entire violation record




Summary

• Benefits of Using RACF for DB2 Security

• Migrating from DB2 Security to RACF Security

– Migration planning – implementation options

• Migration Considerations

• Post Migration Benefits

34




DB2 Release Considerations

• On August 3, 2010, IBM announced the End of Service (EOS) for DB2 8 for IBM®z/OS®. The effective EOS date is April 30, 2012.

• On February 7, 2012, IBM announced the End of Service (EOS) for DB2 9 for z/OS. The effective EOS date is June 27, 2014.

• On October 19, 2010, IBM announced General Availability for DB2 10 for z/OS as of October 22, 2010.

• On October 1, 2013, IBM announced DB2 11 for z/OS with planned availability on October 25, 2013.

35




Migration Assistance

• Migrations can be complex and many organizations lack the expertise and tools to achieve successful and error-free migrations of security controls from DB2 to RACF.

• Organizations are turning to the Vanguard Professional Services team to assist them with DB2-to-RACF security migrations.

• Vanguard tools migrate the 6 object types the IBM tool does not handle.

• Visit http://www.go2vanguard.com/services.php to view the DB2-to-RACF Data Sheet.




http://www.go2vanguard.com/services.php

http://www.go2vanguard.com/services.php

RACF for DB2 Security: The Benefits & Considerations from DB2 Security to RACF Security One or...

Documents

Transcript of RACF for DB2 Security: The Benefits & Considerations from DB2 Security to RACF Security One or...