August 16, 2011

Roles and Trusted Context

During the SHARE conference in Orlando, I was standing in the vendor hall having a discussion with someone about DB2 security. This person told me how his company implemented roles and trusted context to give DBAs SYSADM capabilities without granting them SYSADM authority. I found this very interesting, because I've not heard of many companies implementing roles and trusted context.

I was telling this person how unusual this is, and expressing my belief that a lack of information is the cause. Implementing roles hasn't really been presented in a way that people can understand, so few see the value.

Funny then that shortly after I got back from Orlando, I received notification of a new IBM Redbooks publication, "Security Functions with DB2 10 for z/OS."

This publication, which is currently in draft form, includes information on roles and trusted context. Chapter 4 examines some challenges roles and trusted context can help solve and then provides details to implement the solution. The challenge of granting SYSADM is mentioned in chapter 4.5 ("example of local trusted context, securing DBA activities").

Specific to DB2 10, I noticed only minor updates concerning roles and trusted context. The most significant change is the new SECADM authority. Users will need this authority to manage roles and trusted context. Other related changes involve classifying row permission, column mask and role and trusted context as security-related functions.

What I love about Redbooks publications is that you get real people presenting real problems and providing real-life solutions. For anyone working with DB2 for z/OS -- whether you're a developer, DBA or security administrator -- I highly recommend taking the time to review how security works. This particular publication is a good start.