Unauthorized DB2 table creates

Document ID : KB000102420
Last Modified Date : 18/06/2018
Show Technical Document Details
Introduction:
Having an issue in our DB2 environment. Users are able to create tables which are not under their own personal id naming (we intentionally allow users the capability to create tables under their own id naming: scheme=userid). Top Secret rules block a user from inserting records into tables that the do not have authority to but users can still create those tables with 0 records which fills out DB2 catalog with invalid tables. We have a rule of DB2TABLE=Q.PROFILES(ACCESS=INSERT) is this what is allowing the users to create these tables? If yes, how do we set the rule to allow only personal tables to be created by users?
Environment:

Upgrading to TSSDB2 1.3, DB2 resources are no longer protected.

So a user can delete/add a row in a DB2TABLE with a select access.

Instructions:

This problem arisen with TSS DB2 1.3 and was not visible with TSS DB2 1.2 because to be compliant with DB2 9.1 and above, there is additional check made by the TSSDB2 against new DB2SYS privilege: DATAACCESS.

Like the DB2SYS resource didn't have the DEFPROT attribute, TSSDB2 returned an RC 04 which allowed the user to access to the table instead of denying the access like with previous TSSDB2 release.

If the DEFPROT attribute was set then TSSDB2 would return RC 08 and access would be denied like previously and it would have been transparent.

Some DB2 resource classes in the RDT have NOT the DEFPROT attribute.

You MUST run the DB13RDT job of the CADBJCL0 library.

Here is an example:

//DB13RDT   JOB                                                            
//*********************************************************************    
//*         CA TOP SECRET OPTION FOR DB2 1.3                          *    
//*         COPYRIGHT (C) 2010, CA, INC.                              *    
//*                                                                   *    
//*         MEMBER:    DB13RDT                                        *    
//*         FUNCTION:  TURN ON DEFAULT PROTECTION FOR DB2 RESOURCES   *    
//*********************************************************************   
//DB13RDT EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=2048K                      
//SYSTSPRT  DD SYSOUT=*                                                   
//SYSTSIN   DD *                                                          
TSS REPLACE(RDT) RESCLASS(DB2BUFFP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2COLL)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2DBASE) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2FUNC)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PKG)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PLAN)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2PROC)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SCHMA) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2STOGP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SYS)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TABLE) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TABSP) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TYPE)  ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2JAR)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2SEQ)   ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2TRCON) ATTR(DEFPROT)                         
TSS REPLACE(RDT) RESCLASS(DB2ROLE)  ATTR(DEFPROT)                         
//