DB2 users, grants, and RACF

I am working with a DB2 admin for mainframe.  I am told that in DB2, if you delete a user who has given grants, the grants are also taken away.  I don't know DB2 at all, but that seems like a ridiculous way to set up grants.  I wanted to get a URL (I have searched) stating that this is or is not true.

The second portion of this is that DB2 accounts cannot be used unless they are assigned to RACF (or Top Secret or ACF2).  Then I was told that those accounts can be used by other admins, but that they have access anyway.  Can anyone help clear things up for me?

Thanks,

Awakenings
awakeningsAsked:
Who is Participating?
 
giltjrCommented:
O.K.  I tell you they way I understand it.


I also have been told that if you define a user to DB2, that user does a grant, then you delete the user all grants that user did will be removed.  I was told this because I asked why we had user-id's in some of the DB2 user tables for people that have been long gone from the company.   However, although you must leave them in DB2, you do NOT need to leave them in RACF/TopSecret/ACF2.

DB2 does use RACF (actually the SAF interface) for security and this means that the users must be defined in the whatever you use as your security system (RACF, TopSecret, or ACF2).

--> Then I was told that those accounts can be used by other admins, but that they have access anyway.

I'm not 100% sure what you mean by this, but I believe what they are taking about is surrogate authority.   This allows one user to use the security credentials of another user without being authenticated for the second users id.  Example:  My user id is USERA71 and yours is USERB99.  If I have surrogate authority for your id, once I am authenticated for my id, I can do certain things using your userid instead of mine.

The only place I have seen surrogate authority used is when running batch jobs.  If I submit a batch job I could put USER=USERB99 on the job card and it would run with your id and use your authority.  Now as long as you are cutting the correct SMF records this is logged so that you can tell that I did this.
0
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi Awakenings,

I'm not seen that behavior.  But it actually makes a lot of sense.  You won't normally delete the account of a master admin so the grants from the admin wouldn't be affected.  But cascading the grants from a user-level entity makes a lot of sense.  If User A has given grants to Users B, C, and D, and user A is deleted, the authority by which the grants to users B, C, and D were given access no longer exists.


We've got a number of mainframe people on the forum (I'm an LUW kind of guy).  If no one shows up soon to give you a definitive answer, I suggest that you run a small test.  Create user A and B, have user A grant a permission to B, then delete A and retest the authority of user B.


Kent
0
 
awakeningsAuthor Commented:
Thanks Kent.  I actually cannot do any testing.  I am in security and only tangentially work with the mainframe group.  I'm just trying to find out as I have to report information accurately.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
awakeningsAuthor Commented:
Thanks both.  Do you know any links to show this?

Giltjr, the second item is that if one has RACF/Top Secret/ ACF2 privileges, one can usurp the authority of the dormant (not tied to RACF, etc) account, but the fact that someone could do this doesn't matter because the RACF account would have to be an admin and they would have the privileges anyway.

Thanks,

Awakenings
0
 
giltjrCommented:
Here is a link that talks about it:

http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ae22130_.htm

If you search for "granting user" you will see a bullet item talking about it.

I can't usurp the authority of the dormant account, both ID's still need to be in the security system. Using USERA71 (me) and USERB99 (you) again.  If for some reason you leave and your account, USERB99, is removed from RACF but left in DB2 because you did grants.  I can no longer use it as a surrogate id because RACF does not know about the account.  If its not in RACF, it can no longer be used for anything.    Nobody could use your account for anything as long as DB2 is validating everything against RACF (or whatever is being used for SAF).

And no I would not need admin capabilities to do this.  All I need is surrogate authority to and ID that is admin.  So if I did not have DB2 Admin, but you did, I could not use my user-id to do any grants, but I could submit batch jobs that use your user id to issue grants.

Not sure what your background is, but think of surrogate almost like su'ing to a different user's userid in *nix.  You can only su to an id that *nix knows about.  If *nix does not know about it, you can't su to it.

Surrogate authority is the same thing, the ID I am trying to use must still exist, then on top of that I must have authorization in RACF to use it.
0
 
awakeningsAuthor Commented:
Thanks!  I like to bounce things off multiple arenas.  Your answers made sense to me and I felt they were clear.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.