[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: DB2/RACF Security
From:       "Sokolsky, Hayim Z." <hsokolsky () DTCC ! COM>
Date:       2012-07-26 15:34:00
Message-ID: D5CA4071F8A47B41B8B7DFA2E24FDBEB01699842 () SXEMBP01 ! corp ! dtcc ! com
[Download RAW message or body]

Mike,

You have to think of the RACF/DB2 security as a 'policy'. The RACF/DB2 profiles can \
be created far in advance of the object's existence, and will remain after the \
objects are dropped from the DB2 database. In effect, the DB2 security controls are \
already pre-established.

In addition, issuing native grants can interfere with RACF/DB2. Native grants issued \
for PUBLIC have a habit of getting cached, and may supersede the RACF/DB2 security \
until DB2 restart.

The short answer is, no action needs to be taken to reestablish security.

Hayim

Hayim Sokolsky, CISSP
   Manager, Mainframe Security Architecture
   DTCC Technology Risk Management
   18301 Bermuda Green Drive, MS 1-CIS
   Tampa FL 33647-1760
   +1 (813) 470-2177

Classification:  DTCC Non-Confidential (WHITE)

The views I have expressed in this email are my own personal views, and are not \
endorsed or supported by, and do not necessarily express or reflect, the views, \
positions or strategies of my employer.

> -----Original Message-----
> From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
> Mike Klimek
> Sent: Thursday, July 26, 2012 10:28
> To: RACF-L@LISTSERV.UGA.EDU
> Subject: DB2/RACF Security
> 
> 
> 
> I am currently exploring the potential of migrating our DB2 security to RACF
> and have a behavioral question
> regarding object deletion. Everything I have read states that RACF security
> profiles can be preserved
> when a DB2 object is deleted. While I understand this concept, I'm also told
> that after dropping
> an object under native DB2 security, all DBA controlled securities have to be
> reestablished.
> Does dropping an object under RACF security in DB2 eliminate the need for
> the DBA's to
> become involved by having to reestablish all grants? If not, what exactly is
> the theory behind
> stating that RACF would remove the DBA's from involvement in security
> when dropping objects?
> 
> Thank you in advance for any thoughts you can provide.
> 
> 
> 
> Michael A. Klimek
> 
> McMaster-Carr Supply Company
> 
> mike.klimek@mcmaster.com
> 
> 
<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses.  The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>


[prev in list] [next in list] [prev in thread] [next in thread]