Does the ACF2/DB2 Option support DB2 v11 Global Variables?

Document ID : KB000029449
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  
Does the ACF2/DB2 Option support DB2 v11 Global Variables?

Answer:  
ACF2/DB2 support of DB2 v11 Global Variables was implemented with apar RO55265.

The updates for support of 'Global Variables' are as follow.

A new $TYPE code VAR for 'Global Variables' was added:

$TYPE(typecode) Specifies the type of DB2 resource that this rule set applies to. The type code groups CA ACF2 Option for DB2 rules so that they can be identified for a particular type of resource. The $TYPE control statement is required. This type code can be:

Type Code                  Description
BPL                        Buffer pools
COL                        Collections
CON                        Trusted contexts
DBS                        Databases
FNC                       Functions
JAR                        JAR files
PKG                        Packages
PLN                       Application plans
PRC                        Stored procedures
ROL                        Roles
SCH                        Schemas
SEQ                        Sequences
STG                        Storage groups
SYS                        System privileges and utilities
TBL                        Tables (and views)
TSP                        Table spaces
TYP                        Distinct types
VAR                       Gloabal Variable


The DB2 OPTS record VARMODE field was added:

Record ID        Fields                                                               
OPTS             ACTIVE|NOACTIVEGSYSID(1-4 character string-optional)
BPLMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
CONMODE          (ABORT|LOG|QUITE|RULE,norule,no$mode)
DBSMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
FNCMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
PLNMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
PRCMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
ROLMODE          (ABORT|LOG|QUITE|RULE,norule,no$mode)
SCHMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
SEQMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
STGMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
SYSMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
TBLMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
TSPMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
TYPMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)
VARMODE          (ABORT|LOG|QUIET|RULE,norule,no$mode)

This example shows how to create a new OPTS record for the TEST DB2 subsystem. With this record, CA ACF2 Option for DB2 permits access to any resource but logs it. This example uses the REP parameter to insert new values into a DB2 OPTS record. This example shows how an INSERT subcommand might look when you enter it:

Sample INSERT:

INSERT OPTS SYSID(TEST) BPLMODE(LOG) CONMODE(LOG) DBSMODE(LOG) FNCMODE(LOG) -
PLNMODE(LOG) PRCMODE(LOG) ROLMODE(LOG) SCHMODE(LOG) SEQMODE(LOG) STGMODE(LOG) -
SYSMODE(LOG) TBLMODE(LOG) TSPMODE(LOG) TYPMODE(LOG) VARMODE(LOG)

The VARMODE 'Field Descriptions' were updated to include VARMODE.

The following OPTS record fields identify DB2 resource types and what CA ACF2 Option for DB2 recommends when a rule entry denies access to a resource type.

ACTIVE|NOACTIVE

Inserts the OPTS record before you actually implement CA ACF2 Option  for DB2 security. The default value is ACTIVE.

The following OPTS record fields identify DB2 resource types and what A ACF2 Option for DB2 recommends when a rule entry denies access to a resource type.

GSYSID

Specifies a one to four character string that will be used as the group SYSID. This field can be specified so that if multiple D2 subsystems hve the same value for the group SYSID, all of the subsystems will use the same resource rules. The value of the group SYSID will be substituted as the SYSID() to match to resource rules when a validation is done.

BPLMODE  Buffer pool
CONMODE  Trusted context
DBSMODE  Database
FNCMODE  Function
PLNMODE  Application plan, package, or collection
PRCMODE  Stored procedure
ROLMODE  Role
SCHMODE  Schema
SEQMODE  Sequences
STGMODE  Storage group
SYSMODE  System privilege or utility
TBLMODE  Table or a view
TSPMODE  Table space
TYPMODE  Distinct type
VARMODE  DB2 global variables

 The ACF2/DB2 documentation of the 'Privileges' table was updated to include the SERVICEs READ and WRITE that can be associated with 'Global Variables'.

Writing ACF2/DB2 TYPE(VAR) rules for 'Global Variables'

Syntax for TYPE(VAR) Rules:  

   $KEY(RESOURCENAME) 

   $TYPE(VAR)
   $SYSID(SYSIDMASK)
   <$NOSORT>
   <$USERDATA('TEXT')>
   <$ROLESET>
   <$LIDOWNER(LOGONID)|$UIDOWNER(UIDMASK)|$ROLOWNER(ROLE)>
   <$MODE(ABORT|LOG|QUIET)>
   <%CHANGE UID-MASK1,UID-MASK2,...,UID-MASKN|LOGONID1,...LOGONIDN>
   <%RCHANGE UID-MASK1,UID-MASK2,...,UID-MASKN|LOGONID1,...LOGONIDN>
   <UID(UIDMASK)>
   <USER(LOGONID)>
   <ROLE(ROLE)>
   <SHIFT(SHIFT)>
   <UNTIL(DATE)|FOR(DAYS)>
   <SERVICE(KEYWORD1,,...KEYWORDN)> **
   <DATA('TEXT')>  
   <ALLOW|LOG|PREVENT>
   <*COMMENT>        

** Note Global Variables resource rule SERVICE can be READ or WRITE.

Example TYPE(VAR) rule

Enter the $KEY on the first line. You can also enter the $TYPE and $SYSID control statements on this line if you prefer. Enter the other control statements and then rule entries, each on a separate line. Press ENTER or RETURN after each line. To end the rule set, enter a blank line. A message displays:

acf
ACF
set db2(var)
DB2
compile
ACFD2010 DB2 COMPILER ENTERED

. $key(global.variable) type(var) sysid(prod)
. uid(tfinpayiso) service(read) allow
. uid(tfinadmiso) service(write) until(11/24/05) log
.

ACFD2051 TOTAL RECORD LENGTH= 210 BYTES, 5 PERCENT UTILIZED
DB2