?
Solved

DB2 users, grants, and RACF

Posted on 2009-02-20
6
Medium Priority
?
1,111 Views
Last Modified: 2012-05-06
I am working with a DB2 admin for mainframe.  I am told that in DB2, if you delete a user who has given grants, the grants are also taken away.  I don't know DB2 at all, but that seems like a ridiculous way to set up grants.  I wanted to get a URL (I have searched) stating that this is or is not true.

The second portion of this is that DB2 accounts cannot be used unless they are assigned to RACF (or Top Secret or ACF2).  Then I was told that those accounts can be used by other admins, but that they have access anyway.  Can anyone help clear things up for me?

Thanks,

Awakenings
0
Comment
Question by:awakenings
  • 3
  • 2
6 Comments
 
LVL 46

Assisted Solution

by:Kent Olsen
Kent Olsen earned 600 total points
ID: 23692196
Hi Awakenings,

I'm not seen that behavior.  But it actually makes a lot of sense.  You won't normally delete the account of a master admin so the grants from the admin wouldn't be affected.  But cascading the grants from a user-level entity makes a lot of sense.  If User A has given grants to Users B, C, and D, and user A is deleted, the authority by which the grants to users B, C, and D were given access no longer exists.


We've got a number of mainframe people on the forum (I'm an LUW kind of guy).  If no one shows up soon to give you a definitive answer, I suggest that you run a small test.  Create user A and B, have user A grant a permission to B, then delete A and retest the authority of user B.


Kent
0
 

Author Comment

by:awakenings
ID: 23692307
Thanks Kent.  I actually cannot do any testing.  I am in security and only tangentially work with the mainframe group.  I'm just trying to find out as I have to report information accurately.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1400 total points
ID: 23694416
O.K.  I tell you they way I understand it.


I also have been told that if you define a user to DB2, that user does a grant, then you delete the user all grants that user did will be removed.  I was told this because I asked why we had user-id's in some of the DB2 user tables for people that have been long gone from the company.   However, although you must leave them in DB2, you do NOT need to leave them in RACF/TopSecret/ACF2.

DB2 does use RACF (actually the SAF interface) for security and this means that the users must be defined in the whatever you use as your security system (RACF, TopSecret, or ACF2).

--> Then I was told that those accounts can be used by other admins, but that they have access anyway.

I'm not 100% sure what you mean by this, but I believe what they are taking about is surrogate authority.   This allows one user to use the security credentials of another user without being authenticated for the second users id.  Example:  My user id is USERA71 and yours is USERB99.  If I have surrogate authority for your id, once I am authenticated for my id, I can do certain things using your userid instead of mine.

The only place I have seen surrogate authority used is when running batch jobs.  If I submit a batch job I could put USER=USERB99 on the job card and it would run with your id and use your authority.  Now as long as you are cutting the correct SMF records this is logged so that you can tell that I did this.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:awakenings
ID: 23695391
Thanks both.  Do you know any links to show this?

Giltjr, the second item is that if one has RACF/Top Secret/ ACF2 privileges, one can usurp the authority of the dormant (not tied to RACF, etc) account, but the fact that someone could do this doesn't matter because the RACF account would have to be an admin and they would have the privileges anyway.

Thanks,

Awakenings
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1400 total points
ID: 23695731
Here is a link that talks about it:

http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ae22130_.htm

If you search for "granting user" you will see a bullet item talking about it.

I can't usurp the authority of the dormant account, both ID's still need to be in the security system. Using USERA71 (me) and USERB99 (you) again.  If for some reason you leave and your account, USERB99, is removed from RACF but left in DB2 because you did grants.  I can no longer use it as a surrogate id because RACF does not know about the account.  If its not in RACF, it can no longer be used for anything.    Nobody could use your account for anything as long as DB2 is validating everything against RACF (or whatever is being used for SAF).

And no I would not need admin capabilities to do this.  All I need is surrogate authority to and ID that is admin.  So if I did not have DB2 Admin, but you did, I could not use my user-id to do any grants, but I could submit batch jobs that use your user id to issue grants.

Not sure what your background is, but think of surrogate almost like su'ing to a different user's userid in *nix.  You can only su to an id that *nix knows about.  If *nix does not know about it, you can't su to it.

Surrogate authority is the same thing, the ID I am trying to use must still exist, then on top of that I must have authorization in RACF to use it.
0
 

Author Comment

by:awakenings
ID: 23695762
Thanks!  I like to bounce things off multiple arenas.  Your answers made sense to me and I felt they were clear.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recursive SQL in UDB/LUW (you can use 'recursive' and 'SQL' in the same sentence) A growing number of database queries lend themselves to recursive solutions.  It's not always easy to spot when recursion is called for, especially for people una…
Recursive SQL in UDB/LUW (it really isn't that hard to do) Recursive SQL is most often used to convert columns to rows or rows to columns.  A previous article described the process of converting rows to columns.  This article will build off of th…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question