× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Why can't MESECOFR get to the data? It would already have had to be put under the new function usage. But that isn't stated in your example.

To verify (good point, man!), I dug a little further and found this statement -

"In V7R2M0, the function usage, QIBM_DB_SECADM, provides a user with the ability to grant authority, revoke authority, change ownership, or change primary group, but without giving access to the object or, in the case of a database table, to the data that is in the table or allowing other operations on the table. QIBM_DB_SECADM function usage can only be given by a user with *SECADM special authority and can be given to a user or a group.

IBM are calling "Database Security Administration". I believe that this can be given to any user - that user to which the usage is given does not need to be *SECADM that I can see. Therefore, that person would not be able to create profiles.

If that is the case, then we have similar challenges in security - be careful to whom you give authority. Limit who can create profiles with *SECADM. Keep duties separate, so that the database security administrator does NOT have *SECADM.

Again, we are responsible for following best practices. I've certainly not exhausted that topic here - so it will be interesting to see what we all come up with.

And as I said, you do have to trust your people - AND audit.

Cheers
Vern

On 5/13/2014 1:25 PM, rob@xxxxxxxxx wrote:
I think James is right.

MESECOFR creates user HRCLERK.
In 7.2 MESECOFR can grant HRCLERK ability to maintain data in the schema
HRDATA even though MESECOFR cannot get to that same data. MESECOFR has
*ALLOBJ and everything else. But still can't access that data.
So, MESECOFR can create a user called DELETEME. And grant DELETEME the
permission to get into that data. MESECOFR can signoff and sign back on
as DELETEME.

Here's a close analogy.
QSECOFR can do
WRKSYSVAL QLMTSECOFR
and set them up so that they can only sign on to terminals they have
access to. Even if they have *ALLOBJ, etc.
QSECOFR tries to sign on to DSP01005 but cannot. So QSECOFR runs
GRTOBJAUT OBJ(DSP01005) OBJTYPE(*DEVD) USER(QSECOFR) AUT(*ALL)
and now they can sign on to DSP01005.
Or QSECOFR can run
CHGSYSVAL QLMTSECOFR ...
and turn it off and back on at will.

So don't give IBM more credit than they deserve. Or, on a more positive
spin, don't 'assume' it works like you want it to - verify.


Rob Berendt


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.