6.8 KiB
Row and Column Access Control
Contents
Solution Brief
Highlights
- /g115/g3
- /g115/g3
- /g115/g3
- /g115/g3
Power Services
DB2 for i
Expert help to achieve your business requirements
We build confident, satisfied clients
No one else has the vast consulting experiences, skills sharing and
Because no one else is IBM.
With combined experiences and direct access to development groups,
Who we are, some of what we do
Global CoE engagements cover topics including:
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
- rglyph<c=1,font=/NKDKKL+JansonTextLTStd-Roman>
Preface
This IBMfi Redpaper™ publication provides information about the IBM i 7.2 feature of IBM
This paper is intended for database engineers, data-centric application developers, and
This paper was produced by the IBM DB2 for i Center of Excellence team in partnership with
Jim Bainbridge
Hernando Bedoya
Authors
1
Securing and protecting IBM DB2
Recent news headlines are filled with reports of data breaches and cyber-attacks impacting
Businesses must make a serious effort to secure their data and recognize that securing
This chapter describes how you can secure and protect data in DB2 for i. The following topics
- /SM590000
- /SM590000
- /SM590000
1.1 Security fundamentals
Before reviewing database security techniques, there are two fundamental steps in securing
- /SM590000
- The monitoring and assessment of adherence to the security policy determines whether
A security policy is what defines whether the system and its settings are secure (or not).
- /SM590000
With your eyes now open to the importance of securing information assets, the rest of this
1.2 Current state of IBM i security
Because of the inherently secure nature of IBM i, many clients rely on the default system
Even more disturbing is that many IBM i clients remain in this state, despite the news
Traditionally, IBM i applications have employed menu-based security to counteract this default
Many businesses are trying to limit data access to a need-to-know basis. This security goal
1.3.1 Existing row and column control
Some IBM i clients have tried augmenting the all-or-nothing object-level security with SQL
Using SQL views to limit access to a subset of the data in a table also has its own set of
Even if you are willing to live with these performance and management issues, a user with
Figure 1-2 Existing row and column controls
2.1.6 Change Function Usage CL command
The following CL commands can be used to work with, display, or change function usage IDs:
- /SM590000
- /SM590000
- /SM590000
For example, the following
CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(HBEDOYA) USAGE(*ALLOWED)
2.1.7 Verifying function usage IDs for RCAC with the FUNCTION_USAGE view
The FUNCTION_USAGE view contains function usage configuration details. Table 2-1
Table 2-1 FUNCTION_USAGE view
To discover who has authorization to define and manage RCAC, you can use the query that is
SELECT function_id,
user_type
FROM function_usage
WHERE function_id='QIBM_DB_SECADM'
ORDER BY user_name;
2.2 Separation of duties
Separation of duties helps businesses comply with industry regulations or organizational
For example, assume that a business has assigned the duty to manage security on IBM i to
In IBM i 7.2, the QIBM_DB_SECADM function usage grants authorities, revokes authorities,
QIBM_DB_SECADM function usage can be granted only by a user with *SECADM special
QIBM_DB_SECADM also is responsible for administering RCAC, which restricts which rows
A preferred practice is that the RCAC administrator has the QIBM_DB_SECADM function
Table 2-2 shows a comparison of the different function usage IDs and *JOBCTL authority to
Table 2-2 Comparison of the different function usage IDs and *JOBCTL authority
Figure 3-1 CREATE PERMISSION SQL statement
Column mask
A column mask is a database object that manifests a column value access control rule for a
Table 3-1 Special registers and their corresponding values
Figure 3-5 shows the difference in the special register values when an adopted authority is
- /SM590000
- /SM590000
- /SM590000
- /SM590000
- /SM590000
Figure 3-5 Special registers and adopted authority
3.2.2 Built-in global variables
Built-in global variables are provided with the database manager and are used in SQL
IBM DB2 for i supports nine different built-in global variables that are read only and
Table 3-2 lists the nine built-in global variables.
Table 3-2 Built-in global variables
3.3 VERIFY_GROUP_FOR_USER function
The VERIFY_GROUP_FOR_USER function was added in IBM i 7.2. Although it is primarily
If a special register value is in the list of user profiles or it is a member of a group profile
Here is an example of using the VERIFY_GROUP_FOR_USER function:
VERIFY_GROUP_FOR_USER (CURRENT_USER, 'MGR')
VERIFY_GROUP_FOR_USER (CURRENT_USER, 'JANE', 'MGR', 'STEVE')
RETURN
CASE
WHEN VERIFY_GROUP_FOR_USER ( SESSION_USER , 'HR', 'EMP' ) = 1
-
-
-
-
-
- To implement this column mask, run the SQL statement that is shown in Example 3-9.
CREATE MASK HR_SCHEMA.MASK_TAX_ID_ON_EMPLOYEES
Figure 3-10 Column masks shown in System i Navigator
3.6.6 Activating RCAC
Now that you have created the row permission and the two column masks, RCAC must be
Example 3-10 Activating RCAC on the EMPLOYEES table
- /* Active Row Access Control (permissions) */
- /* Active Column Access Control (masks) */
ACTIVATE COLUMN ACCESS CONTROL;
Figure 3-11 Selecting the EMPLOYEES table from System i Navigator
Figure 4-68 Visual Explain with RCAC enabled
Figure 4-69 Index advice with no RCAC
THEN C . CUSTOMER_TAX_ID
CREATE MASK BANK_SCHEMA.MASK_SECURITY_QUESTION_ANSWER_ON_CUSTOMERS ON BANK_SCHEMA.CUSTOMERS AS C
Row and Column Access Control
Implement roles and
This IBM Redpaper publication provides information about the IBM i 7.2
Leverage row
Protect columns by
This paper is intended for database engineers, data-centric application
INTERNATIONAL
BUILDING TECHNICAL
IBM Redbooks are developed
For more information: