DB2 users, grants, and RACF

Posted on 2009-02-20
Last Modified: 2012-05-06
I am working with a DB2 admin for mainframe.  I am told that in DB2, if you delete a user who has given grants, the grants are also taken away.  I don't know DB2 at all, but that seems like a ridiculous way to set up grants.  I wanted to get a URL (I have searched) stating that this is or is not true.

The second portion of this is that DB2 accounts cannot be used unless they are assigned to RACF (or Top Secret or ACF2).  Then I was told that those accounts can be used by other admins, but that they have access anyway.  Can anyone help clear things up for me?


Question by:awakenings
    LVL 45

    Assisted Solution

    Hi Awakenings,

    I'm not seen that behavior.  But it actually makes a lot of sense.  You won't normally delete the account of a master admin so the grants from the admin wouldn't be affected.  But cascading the grants from a user-level entity makes a lot of sense.  If User A has given grants to Users B, C, and D, and user A is deleted, the authority by which the grants to users B, C, and D were given access no longer exists.

    We've got a number of mainframe people on the forum (I'm an LUW kind of guy).  If no one shows up soon to give you a definitive answer, I suggest that you run a small test.  Create user A and B, have user A grant a permission to B, then delete A and retest the authority of user B.


    Author Comment

    Thanks Kent.  I actually cannot do any testing.  I am in security and only tangentially work with the mainframe group.  I'm just trying to find out as I have to report information accurately.
    LVL 57

    Accepted Solution

    O.K.  I tell you they way I understand it.

    I also have been told that if you define a user to DB2, that user does a grant, then you delete the user all grants that user did will be removed.  I was told this because I asked why we had user-id's in some of the DB2 user tables for people that have been long gone from the company.   However, although you must leave them in DB2, you do NOT need to leave them in RACF/TopSecret/ACF2.

    DB2 does use RACF (actually the SAF interface) for security and this means that the users must be defined in the whatever you use as your security system (RACF, TopSecret, or ACF2).

    --> Then I was told that those accounts can be used by other admins, but that they have access anyway.

    I'm not 100% sure what you mean by this, but I believe what they are taking about is surrogate authority.   This allows one user to use the security credentials of another user without being authenticated for the second users id.  Example:  My user id is USERA71 and yours is USERB99.  If I have surrogate authority for your id, once I am authenticated for my id, I can do certain things using your userid instead of mine.

    The only place I have seen surrogate authority used is when running batch jobs.  If I submit a batch job I could put USER=USERB99 on the job card and it would run with your id and use your authority.  Now as long as you are cutting the correct SMF records this is logged so that you can tell that I did this.

    Author Comment

    Thanks both.  Do you know any links to show this?

    Giltjr, the second item is that if one has RACF/Top Secret/ ACF2 privileges, one can usurp the authority of the dormant (not tied to RACF, etc) account, but the fact that someone could do this doesn't matter because the RACF account would have to be an admin and they would have the privileges anyway.


    LVL 57

    Assisted Solution

    Here is a link that talks about it:

    If you search for "granting user" you will see a bullet item talking about it.

    I can't usurp the authority of the dormant account, both ID's still need to be in the security system. Using USERA71 (me) and USERB99 (you) again.  If for some reason you leave and your account, USERB99, is removed from RACF but left in DB2 because you did grants.  I can no longer use it as a surrogate id because RACF does not know about the account.  If its not in RACF, it can no longer be used for anything.    Nobody could use your account for anything as long as DB2 is validating everything against RACF (or whatever is being used for SAF).

    And no I would not need admin capabilities to do this.  All I need is surrogate authority to and ID that is admin.  So if I did not have DB2 Admin, but you did, I could not use my user-id to do any grants, but I could submit batch jobs that use your user id to issue grants.

    Not sure what your background is, but think of surrogate almost like su'ing to a different user's userid in *nix.  You can only su to an id that *nix knows about.  If *nix does not know about it, you can't su to it.

    Surrogate authority is the same thing, the ID I am trying to use must still exist, then on top of that I must have authorization in RACF to use it.

    Author Comment

    Thanks!  I like to bounce things off multiple arenas.  Your answers made sense to me and I felt they were clear.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    November 2009 Recently, a question came up in the DB2 forum regarding the date format in DB2 UDB for AS/400.  Apparently in UDB LUW (Linux/Unix/Windows), the date format is a system-wide setting, and is not controlled at the session level.  I'm n…
    Recursive SQL in UDB/LUW (it really isn't that hard to do) Recursive SQL is most often used to convert columns to rows or rows to columns.  A previous article described the process of converting rows to columns.  This article will build off of th…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now