RACF for DB2 Security: The Benefits & Considerations from DB2 Security to RACF Security One or...
Transcript of RACF for DB2 Security: The Benefits & Considerations from DB2 Security to RACF Security One or...
RACF for DB2 Security:
The Benefits & Considerations
Presented by
Vanguard Integrity Professionals
Copyright
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited license to view these materials for your organization’s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Trademarks
IBM, RACF, DB2, and z/OS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Java is a registered trademark of Oracle and/or its affiliates. Vanguard Administrator and Vanguard Advisor are trademarks of Vanguard Integrity Professionals – Nevada.
Legal Notice
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 2
Session Topics
This part of the session discusses the post migration benefits. 3
Post Migration
2
Migration Overview
This part of the session discusses the migration from DB2 Security to RACF Security.
1
Key Benefits
This part of the session discusses the benefits of using IBM®RACF® for IBM®DB2® Security.
3 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF FOR DB2 SECURITY:
THE BENEFITS & CONSIDERATIONS
Key Benefits
4 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Key Migration Benefits
Seperation of Duties
Migration to RACF ensures security is managed by RACF
administrators versus Database Administrators to ensure separation of
duty.
Risk Reduction
Migration to RACF reduces operational risk as security is managed
within RACF and reduces cost as no additional tools are needed to manage
security within DB2.
Compliance
Migration to RACF streamlines and
improves your audit and compliance processes as
you will be able to leverage your Vanguard
tools investment .
Security
Migration to RACF improves your overall
security posture as you now have visbility
through your existing Vanguard tools into the
security of DB2.
1 2 3 4
Centralized Mainframe Security Management for DB2 in RACF
5 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF FOR DB2 SECURITY:
THE BENEFITS & CONSIDERATIONS
Migration Overview
6 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
One or several sets of general resource classes
A single profile can protect multiple objects via generics, RACFVARS, group class profiles
Phased implementation by DB2 subsystem, object type, and object
DB2
7 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
• Download the RACFDB2 utility via WWW or FTP
• Users running the tool must have SELECT privilege on the SYSIBM.SYSxxxAUTH tables
• Specify values when invoking the tool for:
– Owner for profiles
– DB2 subsystem name
– Class name root
– Single subsystem or multi-subsystem
– Last character of class name
8 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
• RACF commands are generated for 9 of the 15 DB2 Object types, and DB2 Authorities
• Not all DB2 Object types are handled:
– Java Archive files (JARs)
– Schemas
– Sequences
– Stored Procedures
– User Defined Distinct Types
– User Defined Functions
9 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
• Discrete profile RDEFINE commands for all objects, privileges and authorities
• UACC is set to READ for objects granted to PUBLIC
• AUDIT(ALL(READ)) is set for DB2 administrative authorities
• PERMIT RESET command is generated for each profile defined
• PERMIT with ACCESS(ALTER) if authorized ‘WITH GRANT’ option
• PERMIT with ACCESS(READ) if authorized without GRANT option
• PERMIT commands are generated for all GRANT statements, including users with SYSADM
• PERMIT commands are generated for all GRANT statements on tables for the table owner
• All RDEFINE commands are for profiles in the member classes
10 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACFDB2 Generated Commands
• Edit the generated commands – Remove or modify unnecessary commands
• Consider replacing many of the discrete profiles! – Use generic profiles? – Use some grouping profiles?
– Use RACFVARS variables for privilege qualifiers? • Define RACF classes for DB2 if using Single-
Subsystem Scope • Enable Generic profiles for the RACF classes to be
used for DB2
• Activate the DB2 general resource classes
• Execute the generated RACF commands
11
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
• Differences between (internal) DB2 and RACF security (See DB2 for z/OS RACF Access Control Module Guide, Chapter 10. Special Considerations )
– Materialized query tables
– PUBLIC* (DB2 V9)
– Authorization for implicitly created databases
– Authorization checking for operations on views
– Implicit privileges of ownership
– Matching schema names – ALTER and DROP Index
– CREATETMTAB, CREATE VIEW, & CREATE ALIAS privileges
– “Any table” and “any schema” privileges
– GRANT statements
– . . .
12 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migrating from DB2 Security to RACF Security
• Software, applications, tools that use the security tables in DB2 catalog?
13 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF FOR DB2 SECURITY:
THE BENEFITS & CONSIDERATIONS
Post Migration Benefits
14 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
Use the same skills for DB2 resources that you use for other RACF resources.
Leverage your investments in RACF and Vanguard solutions to manage your DB2 resources.
Visbility into new exposures to sometimes hidden access controls.
• Leverage existing Activity and Violation Reports
• Extend Role Based Access Control (RBAC) to DB2.
• Clean up of obsolete users and groups in DB2 permissions.
15 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
16
List all the tables that JIMM owns in the DB9G subsystem
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
17 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
18
Who has SYSADM authority in the DB9G subsystem
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
19
“S” to show the access list
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
20
“S” to show who is connected to the OPER group
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
21 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
22
I want to see which Packages user CLARKG can execute in DB9G
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
23 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
24 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
25
I want to delete user KEMMERT and insure all his DB2 accesses
Are removed
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
26 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
27 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
28
I want to see any DB2 violations that have occurred today from the current
“MAN” file
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
29 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
30 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
31
“S” to drill down to the detail
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
32
“S” to display the entire violation record
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Post Migration Benefits
33 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Summary
• Benefits of Using RACF for DB2 Security
• Migrating from DB2 Security to RACF Security
– Migration planning – implementation options
• Migration Considerations
• Post Migration Benefits
34
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
DB2 Release Considerations
• On August 3, 2010, IBM announced the End of Service (EOS) for DB2 8 for IBM®z/OS®. The effective EOS date is April 30, 2012.
• On February 7, 2012, IBM announced the End of Service (EOS) for DB2 9 for z/OS. The effective EOS date is June 27, 2014.
• On October 19, 2010, IBM announced General Availability for DB2 10 for z/OS as of October 22, 2010.
• On October 1, 2013, IBM announced DB2 11 for z/OS with planned availability on October 25, 2013.
35
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Migration Assistance
• Migrations can be complex and many organizations lack the expertise and tools to achieve successful and error-free migrations of security controls from DB2 to RACF.
• Organizations are turning to the Vanguard Professional Services team to assist them with DB2-to-RACF security migrations.
• Vanguard tools migrate the 6 object types the IBM tool does not handle.
• Visit http://www.go2vanguard.com/services.php to view the DB2-to-RACF Data Sheet.
36 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Questions
37 37 ©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.