'Re: DB2 Column Level Security'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: DB2 Column Level Security
From:       "Arnold, Kevin" <karnold () OPERS ! ORG>
Date:       2016-08-30 20:05:20
Message-ID: 6fb21e0d7832485380f10cb5e7f64610 () S1MSG163 ! inhouse ! opers ! org
[Download RAW message or body]

Thanks Hayim, that is very helpful.

We were able to get this working, somewhat.  We have a table called CLONETEST.GAPTBL \
with one integer column COL1.  If we issue the below DDL:

	CREATE MASK CLONETEST.COL1_MASK ON CLONETEST.GAPTBL                      
		 FOR COLUMN COL1 RETURN
	  CASE                                                   
		   WHEN(VERIFY_GROUP_FOR_USER(SESSION_USER,'SYS1') = 1)  
		   THEN COL1     
	 ELSE 0
	 END                                                    
	 ENABLE;  
	COMMIT;

	ALTER TABLE CLONETEST.GAPTBL  ACTIVATE COLUMN ACCESS CONTROL;

With a RACF resource of MDSNTB(DB2.CLONETEST.GAPTBL.SELECT) ACC(READ) ID(SYS1) and \
MDSNTB(DB2.CLONETEST.GAPTBL.COL1.SELECT) ID(SYS1) - we get the expected results.  The \
groups connected to the table is unable to SELECT on COL1 unless they are also \
connected to the COLUMN group.  Groups connected to the COLUMN group can do the \
SELECT statements.

My problem now, which you may have explained below, is that I do not cut SMF records \
for the DB2.CLONETEST.GAPTBL.COL1.SELECT resource (or column resource).  All \
auditing/violations occur to the TABLE resource.  That may be due to what you said \
below but I had hoped I could "audit" at the column level as well (v. other columns \
in the table resource not explicitly protected via RACF), as that is a valid RACF \
resource.  Maybe not.

Thanks again.

[quote]
The lists below are evaluated one by one. If any give access, then the event is \
successful and SMF logging is controlled only by the profile that grants access. If \
they all fail, the RACF/DB2 interface re-checks the first item and logs the failure \
only for the first item in the list - based upon the RACF AUDIT or GLOBALAUDIT \
settings. One SMF record despite all the checks.

For SELECT TABLE (SELECTAUTT)
MDSNTB 	DB2-subsystem.table-qualifier.table-name.SELECT
DSNADM	DB2-subsystem.database-name.DBADM
DSNADM	DB2-subsystem.DATAACCESS
DSNADM	DB2-subsystem.SYSADM
[/quote]



-----------------------------------------
CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends this \
e-mail message, and any attachments, to be used only by the person(s) or entity to \
which it is addressed. This message may contain confidential and/or legally \
privileged information. If the reader is not the intended recipient of this message \
or an employee or agent responsible for delivering the message to the intended \
recipient, you are hereby notified that you are prohibited from printing, copying, \
storing, disseminating or distributing this communication. If you received this \
communication in error, please delete it from your computer and notify the sender by \
reply e-mail.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic