© Copyright IBM Corp. 2007. All rights reserved. 113
Chapter 6. DB2 access control
This chapter provides an introduction to the two alternatives that DB2 for z/OS
offers to protect its resources in general: DB2-managed security and
RACF-managed security. Later chapters look at multilevel security for object-level
access control and row-level security, and at the use of roles and trusted
connections. These additional security mechanisms are independent of whether
you use native DB2 authorization or RACF authorization as the basis for access
Native DB2 authorization uses the grant and revoke statements to keep the
information in the DB2 catalog. Checking access means checking the DB2
DB2 access control uses tight integration with DB2 and database integrity
techniques to provide robust security. There will not be a security rule granted
without a related object in most situations. For some customers and security
needs, these techniques do not fit.
There are significant policy and people implications when using RACF access
control. If you want the database administrators to manage security, integration
with DB2 is very important. If you want security administrators to manage
security, integration with the security server and the ability to have separate
114 Securing DB2 and Implementing MLS on z/OS
security and database administration are more important. The change to RACF
access control causes roles to change and authorities to change.
Converting to RACF from DB2 security is not a completely compatible change.
Authority based on secondary IDs, such as BINDAGENT, requires a new
technique under RACF. There are some situations where DB2 access control
must be used. V8 removed one situation where DB2 GRANT was needed for
DB2 commands. If you want a security group to define authorization and a
centralized security control point, RACF access control is a match.
Plan to use RACF facilities in a similar manner to groups and patterns. The
implementation team requires both DB2 and RACF knowledge for
If you want a security group to define authorization and provide a centralized
security control point, RACF access control is a match. As you implement RACF,
plan to use security access patterns instead of access authorities on individual
items. This can significantly reduce the number of rules needed compared to the
number of grants in DB2. The implementation team needs both DB2 and RACF
First, we give a short overview of how authorization IDs are assigned in DB2; this
is independent of the type of access control used. Then, we describe the
mechanisms for DB2-managed security, and in the last section, we discuss
object access control through the use of RACF.