SAF based security examples to permit the .AUTH command under ACF2, RACF and Top Secret

Document ID : KB000021845
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

The Batch Processor EXIT01 (the .AUTH command) uses IBM System Authorization Facility (SAF) based security administration for authorization. SAF provides an interface that can direct control to all external security products (like CA ACF2, CA Top Secret, and IBM RACF).

When a connection request is received, DB2 obtains the initial primary authorization ID, and the external security product is called through SAF to verify that the ID is authorized to use the defined DB2 resource class, subsystem, and connection type.

Following are examples of statements in CA ACF2, RACF and CA Top Secret to define the CADB2 resource and permit .AUTH usage.

Instructions:

Note: These are SAMPLES of security statements to assist in the SAF security setup to allow the .AUTH command. Please consult with your security administrator for details specific to your site.

RACF:
====

  • DEFINE DYNAMIC CDT ENTRY

    RDEFINE CDT CADB2 -
    CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(246) -
    OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) -
    POSIT(20) OPER(NO) RACLIST(REQUIRED))
    SETROPTS RACLIST(CDT)REFRESH

  • DEFINE PROFILE

    RDEF CADB2 CONNECT.AUTH.user2 UACC(NONE) OWNER(SECURITY) RALT CADB2
    CONNECT.AUTH.user2

    AUDIT(FAILURES(READ))
    PE CONNECT.AUTH.user2 CLASS(CADB2) ID(userxxxx) ACCESS(READ)

    OR (using a wildcard)

    PE CONNECT.AUTH.* CLASS(CADB2) ID(userxxxx) ACCESS(READ)
    SETROPTS RACLIST(CDT) REFRESH
    SETROPTS CLASSACT(CADB2) RACLIST(CADB2)
    SETROPTS RACLIST(CADB2) GENERIC(SERVER) REFRESH

    userxxxx = the user ID being permitted
    user2 = example ID to be switched to

Top Secret:
========

  • TSS ADD(RDT) RESCLASS(CADB2) MAXLEN(256) -
    ATTR(LONG,DEFPROT,GENERIC,MASK) -
    ACLST(READ)

    (Adds the resource class to the security file)

  • Defining the CADB2 Resources
    TSS ADD(owningacid) CADB2(CONNECT)
    ( the owningacid can be a department or group)

  • Grant access to the newly defined resource:
    TSS PERMIT(userxxxx) CADB2(CONNECT.AUTH.user2) ACCESS(READ)

    userxxxx = the user ID being permitted
    user2      = example ID to be switched to.

ACF2:
======

  • Add the CLASMAP for the CADB2 resource class.  

    SET CONTROL(GSO)
    INSERT CLASMAP.CADB2 ENTITYLN(256) RESOURCE(CADB2) RSRCTYPE(CDB)

  • Grant access to the logon ID userxxxx using the following TSO ACF command:

    SET RESOURCE(CDB)
    RECKEY CONNECT ADD( AUTH.user2 UID(UID string for user2) -
    SERVICE(READ) ALLOW)

    userxxxx = the user ID being permitted
    user2      = example ID to be switched to

Additional Information:

Please review the documentation 'How to Use the Delivered Security Exits': Using the Security Exits