Is There a DB2(DSNR...) Check For Secondary Authorization ID When Primary Doesn't Have It?

Document ID : KB000010058
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 

About the secondary authorization ID givne with the IBMGROUPs We'd like to know, whether the corresponding acids need to have the DB2-ressource (DSNR...) permitted or not.

 

Here it seems, that the security environment for the secondary authid is established, although the acid does not have the DB2(DSNR....) resource permitted.

 

Is this working as designed or do I have an implementation error here ? 

Environment:
z/OSDB2
Instructions:

 

Let's take an example to illustrate how it works:

If an user called MYUSER wants to access to DB2 to access to DB2 resource. 

He has to be signed on onto a third address space first, i.e. TSO, CICS, IMS, other. 

This user is known as the Primary AuthID for DB2, because he initiates the connection to the DB2 subsystem.

So, a security check is done against him for resource DB2(DSNR.whatever), if it is ok, then the access/connection to DB2 subsystem is allowed. 

Then he tried to access to a DB2 resource, if he is not allowed to access to this DB2 resource but he has got an IBMGROUP which is allowed to access to this DB2 resource, then the access will be allowed. 

This IBMGROUP is  known as Secondary AuthID for DB2.

This IBMGROUP doesn't need to be permitted to DB2(DSNR.whatever) , this check is made against a primary ID only.

 

Note: With TSS for DB2 the IBMGROUPs are signed on.

 

 

Additional Information:

 

The "whatever" depends on the connection type to the DB2 subsystem.

DB2 \{(DSNR.ssss.BAT)\} for BATCH and TSO connections
DB2 \{(DSNR.
ssss.DIS)\} for Distributed Data Facility (DDF)
DB2 \{(DSNR.
ssss.MAS)\} for connection from IMS
DB2 \{(DSNR.
ssss..SAS)\} for connection from CICS
DB2 \{(DSNR.
ssss.RRSAF)\} for connection from RSS Attachment Facility  

 

If you want to have more information about TSS for DB2 go to:

https://docops.ca.com/ca-top-secret-option-for-db2/1-3/en

 

If you want more details about CA Top Secret and DB2 interface go to link:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/implementing-in-cics-and-other-interfaces/implementing-security-for-db2