[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: DB2 Column Level Security
From: "Arnold, Kevin" <karnold () OPERS ! ORG>
Date: 2016-08-30 20:05:20
Message-ID: 6fb21e0d7832485380f10cb5e7f64610 () S1MSG163 ! inhouse ! opers ! org
[Download RAW message or body]
Thanks Hayim, that is very helpful.
We were able to get this working, somewhat. We have a table called CLONETEST.GAPTBL \
with one integer column COL1. If we issue the below DDL:
CREATE MASK CLONETEST.COL1_MASK ON CLONETEST.GAPTBL
FOR COLUMN COL1 RETURN
CASE
WHEN(VERIFY_GROUP_FOR_USER(SESSION_USER,'SYS1') = 1)
THEN COL1
ELSE 0
END
ENABLE;
COMMIT;
ALTER TABLE CLONETEST.GAPTBL ACTIVATE COLUMN ACCESS CONTROL;
With a RACF resource of MDSNTB(DB2.CLONETEST.GAPTBL.SELECT) ACC(READ) ID(SYS1) and \
MDSNTB(DB2.CLONETEST.GAPTBL.COL1.SELECT) ID(SYS1) - we get the expected results. The \
groups connected to the table is unable to SELECT on COL1 unless they are also \
connected to the COLUMN group. Groups connected to the COLUMN group can do the \
SELECT statements.
My problem now, which you may have explained below, is that I do not cut SMF records \
for the DB2.CLONETEST.GAPTBL.COL1.SELECT resource (or column resource). All \
auditing/violations occur to the TABLE resource. That may be due to what you said \
below but I had hoped I could "audit" at the column level as well (v. other columns \
in the table resource not explicitly protected via RACF), as that is a valid RACF \
resource. Maybe not.
Thanks again.
[quote]
The lists below are evaluated one by one. If any give access, then the event is \
successful and SMF logging is controlled only by the profile that grants access. If \
they all fail, the RACF/DB2 interface re-checks the first item and logs the failure \
only for the first item in the list - based upon the RACF AUDIT or GLOBALAUDIT \
settings. One SMF record despite all the checks.
For SELECT TABLE (SELECTAUTT)
MDSNTB DB2-subsystem.table-qualifier.table-name.SELECT
DSNADM DB2-subsystem.database-name.DBADM
DSNADM DB2-subsystem.DATAACCESS
DSNADM DB2-subsystem.SYSADM
[/quote]
-----------------------------------------
CONFIDENTIALITY NOTICE: The Ohio Public Employees Retirement System intends this \
e-mail message, and any attachments, to be used only by the person(s) or entity to \
which it is addressed. This message may contain confidential and/or legally \
privileged information. If the reader is not the intended recipient of this message \
or an employee or agent responsible for delivering the message to the intended \
recipient, you are hereby notified that you are prohibited from printing, copying, \
storing, disseminating or distributing this communication. If you received this \
communication in error, please delete it from your computer and notify the sender by \
reply e-mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic