Professional Documents
Culture Documents
06 - Db2 Row and Column Access (RCAC)
06 - Db2 Row and Column Access (RCAC)
06 - Db2 Row and Column Access (RCAC)
Db2 for i
Row and Column Access Control
A Closer Look
1
21/05/2021
2
21/05/2021
3
21/05/2021
User IBM i
Table
Security
4
21/05/2021
10
5
21/05/2021
to restrict access
IBM i
Table
Security
Access: ALL or NOTHING
11
A solution…
12
6
21/05/2021
What is RCAC?
• Allows for tailoring access to only the required data by responsibility or task
• Controls access to a table at the row level, column level, or both
• Two sets of “rules” available
– Permissions for rows
– Masks for columns
13
control control
14
7
21/05/2021
User with
*ALLOBJ access
15
• Users with direct access to Db2 objects can bypass these layers
Example: Users with *ALLOBJ authority can still view and change all the data
16
8
21/05/2021
17
18
9
21/05/2021
19
Actual Set
Row01 ROJO
Row02 AZUL
Row03 AZUL
Row04 ROJO
Row05 VERDE
Row Permission Row06 ROJO
Row07 AZUL
WHERE (CURRENT_USER = ‘USER1’
AND COLOR = ‘AZUL’)
Row08 AZUL
OR (CURRENT_USER = ‘USER2’ Db2 Row09 VERDE
AND COLOR = ‘ROJO’) RCAC Row10 VERDE
OR (CURRENT_USER = ‘USER3’
Row11 VERDE
AND COLOR = ‘BLANCO’)
Row12 VERDE
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
Row16 VERDE
Row17 VERDE
Row18 VERDE
© 2018 IBM Corporation
20
10
21/05/2021
21
22
11
21/05/2021
Actual Set
Row01 ROJO
Row02 AZUL
Row03 AZUL
Row04 ROJO
Row05 VERDE
Column Mask Row06 ROJO
Row07 AZUL
CASE
WHEN CURRENT_USER = ‘USER1’
Row08 AZUL
‘********’ Db2 Row09 VERDE
ELSE RCAC Row10 VERDE
COLOR
Row11 VERDE
END
Row12 VERDE
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
Row16 VERDE
Row17 VERDE
Row18 VERDE
© 2018 IBM Corporation
23
24
12
21/05/2021
25
26
13
21/05/2021
27
Integration…
28
14
21/05/2021
29
Security
Security Activity Review Audit
Auditor
Journal
Oversight
Security
Database
Officer Functional Usage
Engineer
*ALLOBJ
QIBM_DB_SECADM
*SECADM
No RCAC RCAC
© 2018 IBM Corporation
30
15
21/05/2021
Oversight and Auditing via IBM i PowerSC (powered by Db2 Web Query)
31
Oversight and Auditing via IBM i PowerSC (powered by Db2 Web Query)
32
16
21/05/2021
User IBM i
Table
Security
Who
What
© 2018 IBM Corporation
When
33
Table
Who
RCAC Logic (rule text) What
When
34
17
21/05/2021
CURRENT USER The most recently adopted authorization ID within the job or
or thread will be returned.
CURRENT_USER
When no adopted authority has occurred,
the effective user of the job or thread is returned.
35
36
18
21/05/2021
SYSTEM_USER = ‘HBEDOYA’
Session 1 “HBEDOYA”
SESSION_USER = ‘HBEDOYA’
CURRENT_USER = ‘HBEDOYA’
Connect to database
Authenticate as HBEDOYA
37
SYSTEM_USER = ‘HBEDOYA’
Session 1 “HBEDOYA”
SESSION_USER = ‘MCAIN’
CURRENT_USER = ‘MCAIN’
38
19
21/05/2021
SYSTEM_USER = ‘HBEDOYA’
Session 1 “HBEDOYA”
SESSION_USER = ‘HBEDOYA’
CURRENT_USER = ‘SUPER’
CALL SUPER_ROUTINE
created with
(owner is SUPER)
39
VERIFY_GROUP_FOR_USER function
Group Profiles
PAYROLL MGR
HBEDOYA MAC2
BESTGEN LMCGUIRE
MACK
VERIFY_GROUP_FOR_USER(‘HBEDOYA’,'PAYROLL’) returns 1
VERIFY_GROUP_FOR_USER(‘MAC2’,’PAYROLL’) returns 0
VERIFY_GROUP_FOR_USER(‘MAC2’,’MGR’) returns 1
40
20
21/05/2021
VALUES(CURRENT_USER);
…
CASE
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'PAYROLL') = 1)
THEN TAX_ID
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(TAX_ID,8,4)
ELSE NULL
END
…
41
– CREATE PERMISSION
– CREATE MASK
– Open a table that has row and column access control activated
42
21
21/05/2021
RCAC terminology
Base Table The table (physical file) containing business critical data.
43
44
22
21/05/2021
ON <table name>
FOR ROWS
45
46
23
21/05/2021
ON <table name>
CASE
<logic to test user and/or group and/or column value(s)>
<logic to mask or return column value>
END
47
48
24
21/05/2021
49
DSPOBJAUT command
50
25
21/05/2021
51
52
26
21/05/2021
53
54
27
21/05/2021
• Tables which contain enabled RCAC definitions can be saved and restored
regardless of whether option 47 is installed
– However if option 47 is NOT installed:
• Permissions and masks cannot be created
• Tables with enabled and active RCAC definitions cannot be accessed
– Can save previous, back to 7.2 only, not 7.1
• For security purposes, it is best to first restrict access to the object itself
(i.e. remove authority to save object)
55
• Enabled row permissions and column masks are not applied to the initial
values of transition variables or to transition tables referenced in the
trigger body
• To balance the needs of integrity and security, the trigger must be created
(or altered) to have the SECURED attribute
• If a trigger is not secure, RCAC cannot be activated for the target table
56
28
21/05/2021
• Function invocations are allowed within RCAC rules and provide the
ability to create more complex and modularized RCAC rule text logic
• To balance the need of complex rule logic and security, the function must
be created (or altered) to have the SECURED attribute
57
• Db2 assumes that such an audit control procedure is in place for all
subsequent ALTER FUNCTION statements
58
29
21/05/2021
Step 2
• Db2 for i Row and Column Access Control Consulting Workshop
contact Mike Cain or Hernando Bedoya
mcain@us.ibm.com or hbedoya@us.ibm.com
© 2018 IBM Corporation
59
Questions?
60
30