Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
8.1.4 Migration from SYSADM authority<br />
To take advantage of the granularity for DB2 10 administrative authority and to simplify your<br />
system database administration, you can separate the privileges of SYSADM authority and<br />
migrate them to other administrative authorities, as illustrated in Figure 8-1.<br />
SYSADM<br />
Figure 8-1 Separating the privileges of SYSADM<br />
For implementation of the new security model based on new DB2 system authorities, use the<br />
following rules:<br />
► Identify the administration model, and define the criteria for assigning special system<br />
authorities for specific ROLEs or AUTHIDs.<br />
► Perform a query to list all users who have SYSADM authority in your DB2 subsystem.<br />
► Divide the responsibilities of the SYSADM authorities between this list of users, and grant<br />
the necessary authority to them.<br />
► Revoke SYSADM authority from current authorization IDs or ROLEs.<br />
► After SYSADM authority is revoked, set the SECURITY_SEPARATE parameter to YES, and<br />
change it dynamically by using the installation SYSADM user ID.<br />
8.2 New audit policy for DB2 10<br />
SECADM<br />
Perform security related tasks<br />
System DBADM<br />
Manage Objects<br />
DATAACCESS<br />
A ccess da ta in all user ta bles<br />
System Administrator<br />
Requires SYSOPR, ARCHIVE, BSDS,<br />
CREATESG, STOSPACE<br />
ACCESSCTRL<br />
Contr ol data access except for<br />
security objects<br />
SQLADM<br />
EXPLAIN, monitor queues<br />
Additional information: For more information about the new DB2 system authorities, see<br />
the DB2 10 for z/OS Administration Guide, SC19-2968.<br />
With the WikiLeaks scandal, the new BASEL III requirements, the HIPAA privacy<br />
requirements, and many data breaches gaining press coverage, security audits of the DB2<br />
environment have become a requirement for protection against unknown or unacceptable<br />
behaviors of users. Successful monitoring of unwanted data access and subsequent analysis<br />
can lead to improvements in the control of data access and the ultimate prevention of<br />
Chapter 8. Security enhancements of DB2 10 for SAP solutions 117