06 - Db2 Row and Column Access (RCAC)

21/05/2021
Db2 for i
Row and Column Access Control
A Closer Look
Hernando Bedoya / Mike Cain

Rochester, MN USA
© 2018 IBM Corporation
Homework: Please find out!
1
21/05/2021
…is the domain of Business, not IT.
Business defines the rules.
IT implements the rules.
Business enforces the rules.
When it comes to the database management system,
the job must include two components:
2
21/05/2021
Obvious Best Practices
1. Do not store the data element(s) unnecessarily

Proper relational modeling and normalization accomplishes this
2. Protect data element(s) first with object level authority

Avoid program, application or menu based security schemes
3
21/05/2021
First Area of Focus
PII – Personal Identifiable Information
User IBM i
Table
Security
4
21/05/2021
The Business Problem…
Government regulations and corporate policies
aggressively pushing to restrict or prevent
access to sensitive data
10
5
21/05/2021
The Technical Problem…
There is no easy and effective way
to restrict access
to a specific set of rows or column values
IBM i
Table
Security
Access: ALL or NOTHING
11
A solution…
Row and Column Access Control

(RCAC)
12
6
21/05/2021
What is RCAC?
• Additional layer of data security available within Db2 for i
• Complementary to object level security (it does not replace it)
• Allows for tailoring access to only the required data by responsibility or task
• Controls access to a table at the row level, column level, or both
• Two sets of “rules” available
– Permissions for rows
– Masks for columns
• Functionality is delivered via IBM Advanced Data Security for i

– No-charge feature
– Option 47
13
What does RCAC mean?

When accessing the same table, with the same statement…
Users are not treated equally
control control
14
7
21/05/2021
Fundamental questions answered by RCAC…

How can we ensure
How can we ensure that PII
that users columns are masked
only see their rows? for unauthorized users?
User with
*ALLOBJ access
How can we separate

roles
and
responsibilities?
15
Why employ RCAC?
• Currently, data access is restricted with menus, program logic, or views
• Users with direct access to Db2 objects can bypass these layers
Example: Users with *ALLOBJ authority can still view and change all the data
• Establish separation of roles and responsibilities, with auditing
• Enables all data access to be controlled at the row / column level

– Via rich security policies
– Restrict security administrators from accessing all data in a database
– No dependency on application logic
– Allows for column value masking (not encryption)
– Facilitates table level multi-tenancy
– Avoids “all or nothing” access behavior
16
8
21/05/2021
What does RCAC look like,
and how does it behave?
17
Result Set Actual Set

Row01 ROJO
Row02 AZUL
User1 ? Row03 AZUL
Row04 ROJO
Row05 VERDE
Row06 ROJO
User2 ? Row07 AZUL
Row08 AZUL
SELECT * Row09 VERDE
FROM A_SET; Row10 VERDE
Row11 VERDE
User3 ? Row12 VERDE
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
User4 ? Row16 VERDE
Row17 VERDE
Row18 VERDE
18
9
21/05/2021

Row02 AZUL Row01 ROJO
Row03 AZUL Row02 AZUL
User1
Row05 VERDE
Row01 ROJO Row06 ROJO
User2 Row04 ROJO Row07 AZUL
Row06 ROJO Row08 AZUL
Row09 VERDE
Row10 VERDE
Row13 BLANCO Row11 VERDE
User3
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
User4 Empty Set Row16 VERDE
Row17 VERDE
Row18 VERDE
19
Actual Set
Row01 ROJO
Row02 AZUL
Row03 AZUL
Row04 ROJO
Row05 VERDE
Row Permission Row06 ROJO
Row07 AZUL
WHERE (CURRENT_USER = ‘USER1’
AND COLOR = ‘AZUL’)
Row08 AZUL
OR (CURRENT_USER = ‘USER2’ Db2 Row09 VERDE
AND COLOR = ‘ROJO’) RCAC Row10 VERDE
OR (CURRENT_USER = ‘USER3’
Row11 VERDE
AND COLOR = ‘BLANCO’)
Row12 VERDE
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
Row16 VERDE
Row17 VERDE
Row18 VERDE
20
10
21/05/2021

User1
Row05 VERDE
SELECT ROW_NAME, Row06 ROJO
COLOR Row07 AZUL
FROM A_SET
WHERE (CURRENT_USER = ‘USER1’ Row08 AZUL
AND COLOR = ‘AZUL’) Db2 Row09 VERDE
OR (CURRENT_USER = ‘USER2’ RCAC Row10 VERDE
AND COLOR = ‘ROJO’)
Row11 VERDE
AND COLOR = ‘BLANCO’) Row12 VERDE
; Row13 BLANCO
Row14 VERDE
Row15 BLANCO
User4 Empty Set Row16 VERDE
Row17 VERDE
Row18 VERDE
21

Row02 AZUL  Row01 ROJO
User1
Row08 AZUL  Row04 ROJO
 Row05 VERDE
SELECT ROW_NAME,  Row06 ROJO
COLOR Row07 AZUL
FROM A_SET
WHERE (CURRENT_USER = ‘USER1’
Row08 AZUL
AND COLOR = ‘AZUL’)  Row09 VERDE
OR (CURRENT_USER = ‘USER2’  Row10 VERDE
AND COLOR = ‘ROJO’)
 Row11 VERDE
AND COLOR = ‘BLANCO’)  Row12 VERDE
;  Row13 BLANCO
 Row14 VERDE
 Row15 BLANCO
User4 Empty Set  Row16 VERDE
 Row17 VERDE
 Row18 VERDE
22
11
21/05/2021
Actual Set
Row01 ROJO
Row02 AZUL
Row03 AZUL
Row04 ROJO
Row05 VERDE
Column Mask Row06 ROJO
Row07 AZUL
CASE
WHEN CURRENT_USER = ‘USER1’
Row08 AZUL
‘********’ Db2 Row09 VERDE
ELSE RCAC Row10 VERDE
COLOR
Row11 VERDE
END
Row12 VERDE
Row13 BLANCO
Row14 VERDE
Row15 BLANCO
Row16 VERDE
Row17 VERDE
Row18 VERDE
23

Row02 ******** Row01 ROJO
Row03 ******** Row02 AZUL
User1
Row13 ******** Row05 VERDE
SELECT *
FROM A_SET
ORDER BY COLOR; Row01 ******** Row07 AZUL
Row06 ******** Db2 Row09 VERDE
Row05 ******** RCAC Row10 VERDE
Row11 ******** Row13 BLANCO
24
12
21/05/2021

User1
SELECT ROW_NAME, Row13 ******** Row05 VERDE
CASE Row15 ******** Row06 ROJO
Row01 =********
WHEN CURRENT_USER ‘USER1’ Row07 AZUL
‘********’ Row04 ******** Row08 AZUL
ELSE Row06 ******** Db2 Row09 VERDE
COLOR Row05 ******** RCAC Row10 VERDE
END
FROM A_SET
ORDER BY COLOR;
25

User1
Row05 VERDE
SELECT ROW_NAME,
CASE
Row06 ROJO
WHEN CURRENT_USER = ‘USER1’ Mask Row07 AZUL
‘********’
ELSE
Row08 AZUL
COLOR Db2 Row09 VERDE
END
FROM A_SET
RCAC Row10 VERDE
WHERE (CURRENT_USER = ‘USER1’ Row11 VERDE
AND COLOR = ‘AZUL’)
OR (CURRENT_USER = ‘USER2’ Permission Row12 VERDE
AND COLOR = ‘ROJO’) Row13 BLANCO
AND COLOR = ‘BLANCO’)
Row14 VERDE
; Row15 BLANCO
User3
Row18 VERDE
26
13
21/05/2021
27
IBM Advanced Data Security for i
Integration…
• RCAC is applied after checking object authorization requirements

– Once passed the object authorization:
• Row permissions can limit the set of rows accessed
• Column masks limit viewing of column data
• RCAC definitions exist within the table object
• When ENABLED & ACTIVATED, RCAC is automatically applied by Db2
• RCAC is comprehensive and applies to any and all interfaces!!!
– (SQL, HLL native record-level-access, commands, APIs, etc.)
• Only users with QIBM_DB_SECADM authority can manage RCAC
– Facilitating the separation of roles and responsibilities
28
14
21/05/2021
Separation of roles and responsibilities
• Users with special authority *ALLOBJ or *SECADM cannot manage RCAC
• Only users with QIBM_DB_SECADM functional usage can manage RCAC
Database functional usage IDs
QIBM_DB_DDMDRDA DDM & DRDA Application Server Access

QIBM_DB_SECADM Database Security Administrator
QIBM_DB_SQLADM Database Administrator
QIBM_DB_SYSMON Database Information
QIBM_DB_ZDA Toolbox Application Server Access
29
Separation of roles and responsibilities
Security
Security Activity Review Audit
Auditor
Journal
Oversight
Security
Database
Officer Functional Usage
Engineer
*ALLOBJ
QIBM_DB_SECADM
*SECADM
No RCAC RCAC
30
15
21/05/2021
Oversight and Auditing via IBM i PowerSC (powered by Db2 Web Query)
31
Oversight and Auditing via IBM i PowerSC (powered by Db2 Web Query)
32
16
21/05/2021
User IBM i
Table
Security
Who
What
When
33
Table
Who
RCAC Logic (rule text) What
When
34
17
21/05/2021
Special registers – similar names, different purposes
Special Register Definition
SYSTEM_USER The authorization ID that initiated the connection is returned.
USER The effective user of the job or thread is returned.

or
SESSION_USER
CURRENT USER The most recently adopted authorization ID within the job or
or thread will be returned.
CURRENT_USER
When no adopted authority has occurred,
the effective user of the job or thread is returned.
35
Session 1 “HBEDOYA” CURRENT_USER = ‘HBEDOYA’
Session 2 “MCAIN” CURRENT_USER = ‘MCAIN’
Session 3 “MAC2” CURRENT_USER = ‘MAC2’
36
18
21/05/2021
SYSTEM_USER = ‘HBEDOYA’
Session 1 “HBEDOYA”
SESSION_USER = ‘HBEDOYA’
CURRENT_USER = ‘HBEDOYA’
Connect to database
Authenticate as HBEDOYA
37
SESSION_USER = ‘MCAIN’
CURRENT_USER = ‘MCAIN’
SET SESSION AUTHORIZATION = MCAIN
38
19
21/05/2021
SESSION_USER = ‘HBEDOYA’
CURRENT_USER = ‘SUPER’
CALL SUPER_ROUTINE
created with
SET OPTION USRPRF=*OWNER
(owner is SUPER)
39
VERIFY_GROUP_FOR_USER function
VERIFY_GROUP_FOR_USER returns true (1) or false (0)

by testing if the user specified is in the group (i.e. a member of a group profile)
Group Profiles
PAYROLL MGR
HBEDOYA MAC2
BESTGEN LMCGUIRE
MACK
VERIFY_GROUP_FOR_USER(‘HBEDOYA’,'PAYROLL’) returns 1
VERIFY_GROUP_FOR_USER(‘MAC2’,’PAYROLL’) returns 0
VERIFY_GROUP_FOR_USER(‘MAC2’,’MGR’) returns 1
40
20
21/05/2021
CURRENT_USER special register + VERIFY_GROUP_FOR_USER
The CURRENT USER special register specifies the primary authorization ID

that is being used for statement authorization
VERIFY_GROUP_FOR_USER function returns true (1) or false (0) by testing

if the user specified is in the group (i.e. a member of a group profile)
VALUES(CURRENT_USER);
…
CASE
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'PAYROLL') = 1)
THEN TAX_ID
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(TAX_ID,8,4)
ELSE NULL
END
…
41
IBM Advanced Data Security for i
• Option 47 is available for IBM i 7.2 and 7.3 (at no charge)
• Option 47 must be installed to:
– CREATE PERMISSION
– CREATE MASK
– Open a table that has row and column access control activated
42
21
21/05/2021
RCAC terminology
Base Table The table (physical file) containing business critical data.
Dependent Object Any schema, table, function, or other object the

permission or mask references.
Permission Defines a row access control rule, for rows in a table by

using an SQL WHERE clause that must be satisfied to
access the row
0 to many permissions allowed per table

Mask Defines a column access control rule, for a specific
column in a table by using an SQL CASE expression
that describes what values or mask a user is permitted
to see and under what conditions
0 or 1 masks allowed per column

Rule Text Logic and syntax to be used by the permission (WHERE
clause predicates) or mask (CASE expression)
43
44
22
21/05/2021
Row and Column Access Control (RCAC)
CREATE PERMISSION <permission name>
ON <table name>
FOR ROWS
WHERE <logic to test user and/or group and/or column value(s)>
ENFORCED FOR ALL ACCESS
ENABLE; Used to switch on permission for table
45
46
23
21/05/2021
CREATE MASK <mask name>
ON <table name>
FOR COLUMN <column name> RETURN
CASE
<logic to test user and/or group and/or column value(s)>
<logic to mask or return column value>
END
ENABLE; Used to switch on mask for table
47
ALTER TABLE <table name>
ACTIVATE ROW ACCESS CONTROL;
ACTIVATE COLUMN ACCESS CONTROL;
ACTIVATE ROW ACCESS CONTROL
ACTIVATE COLUMN ACCESS CONTROL;
48
24
21/05/2021
DEACTIVATE ROW ACCESS CONTROL;
DEACTIVATE COLUMN ACCESS CONTROL;
DEACTIVATE ROW ACCESS CONTROL
DEACTIVATE COLUMN ACCESS CONTROL;
49
Determine if RCAC is defined and enabled for a table
DSPOBJAUT command
Display Object Authority
Object . . . . . . . : EMPLO00001 Owner . . . . . . . : MCAIN

Library . . . . . : HR_PROJECT Primary group . . . : *NONE
Object type . . . . : *FILE ASP device . . . . . : *SYSBAS
Row or column access control . . . . . . . . . . . . . . . . : Active
Object secured by authorization list . . . . . . . . . . . . : *NONE
50
25
21/05/2021
Catalog views: QSYS2.SYSCONTROLS QSYS2 SYSCONTROLSDEP
51
Graphical interface: items in a schema
52
26
21/05/2021
Graphical interface: table definition
53
Generate SQL can produce RCAC definitions
Graphical interface: reverse engineer CREATE for documentation or change
54
27
21/05/2021
Save / Restore with RCAC
• Tables which contain enabled RCAC definitions can be saved and restored
regardless of whether option 47 is installed
– However if option 47 is NOT installed:
• Permissions and masks cannot be created
• Tables with enabled and active RCAC definitions cannot be accessed
– Can save previous, back to 7.2 only, not 7.1
• For security purposes, it is best to first restrict access to the object itself
(i.e. remove authority to save object)
55
RCAC and Triggers
• A trigger has access to unprotected data
• Enabled row permissions and column masks are not applied to the initial
values of transition variables or to transition tables referenced in the
trigger body
Must secure triggers for row and column access control:
• To balance the needs of integrity and security, the trigger must be created
(or altered) to have the SECURED attribute
• If a trigger is not secure, RCAC cannot be activated for the target table
56
28
21/05/2021
RCAC and Functions
• Function invocations are allowed within RCAC rules and provide the
ability to create more complex and modularized RCAC rule text logic
• This additional capability adds a level of complexity for the security

administrator because the function must be reviewed and approved
Secure functions referenced by row and column access control:
• To balance the need of complex rule logic and security, the function must
be created (or altered) to have the SECURED attribute
• A function must be defined as secure when it is referenced in a row

permission or a column mask
• If a function is not secure, the permission or mask cannot be enabled
57
RCAC and SQL Routines
• When creating a secure routine: Db2 treats the SECURED attribute as an

assertion that declares that the user has established an audit procedure
for all changes to the routine
• Db2 assumes that such an audit control procedure is in place for all
subsequent ALTER FUNCTION statements
58
29
21/05/2021
Education and consulting resources:

Step 1
• Db2 for i RCAC Redpaper:
http://www.redbooks.ibm.com/redpieces/pdfs/redp5110.pdf
Step 2
• Db2 for i Row and Column Access Control Consulting Workshop
contact Mike Cain or Hernando Bedoya
mcain@us.ibm.com or hbedoya@us.ibm.com
59
Questions?
60
30

06 - Db2 Row and Column Access (RCAC)

Uploaded by

Copyright:

Available Formats

You might also like

06 - Db2 Row and Column Access (RCAC)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - Db2 Row and Column Access (RCAC)

Uploaded by

Copyright:

Available Formats

21/05/2021

Hernando Bedoya / Mike Cain

© 2018 IBM Corporation

Homework: Please find out!

© 2018 IBM Corporation

…is the domain of Business, not IT.

Business defines the rules.

IT implements the rules.

Business enforces the rules.

© 2018 IBM Corporation

When it comes to the database management system,

the job must include two components:

© 2018 IBM Corporation

© 2018 IBM Corporation

Obvious Best Practices

1. Do not store the data element(s) unnecessarily

2. Protect data element(s) first with object level authority

© 2018 IBM Corporation

First Area of Focus

PII – Personal Identifiable Information

© 2018 IBM Corporation

© 2018 IBM Corporation

© 2018 IBM Corporation

The Business Problem…

Government regulations and corporate policies

aggressively pushing to restrict or prevent

access to sensitive data

© 2018 IBM Corporation

The Technical Problem…

There is no easy and effective way

to a specific set of rows or column values

© 2018 IBM Corporation

Row and Column Access Control

© 2018 IBM Corporation

• Additional layer of data security available within Db2 for i

• Complementary to object level security (it does not replace it)

• Functionality is delivered via IBM Advanced Data Security for i

© 2018 IBM Corporation

What does RCAC mean?

© 2018 IBM Corporation

Fundamental questions answered by RCAC…

How can we separate

© 2018 IBM Corporation

Why employ RCAC?

• Currently, data access is restricted with menus, program logic, or views

• Establish separation of roles and responsibilities, with auditing

• Enables all data access to be controlled at the row / column level

© 2018 IBM Corporation

What does RCAC look like,

and how does it behave?

© 2018 IBM Corporation

Result Set Actual Set

Result Set Actual Set

Result Set Actual Set

Result Set Actual Set

Result Set Actual Set

Result Set Actual Set

Result Set Actual Set

© 2018 IBM Corporation

• Users with special authority ALLOBJ or SECADM cannot manage RCAC