Home   |   Register   |   Rules   |   Calendar   |   Get Daily   |     |  
 


If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

 
Go Back  dBforums > Database Server Software > DB2 > DB2 V7 zOS Authorisation exit question

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-08-05, 09:06
PeerkeV PeerkeV is offline
Registered User
  
Join Date: Feb 2005
Posts: 6
DB2 V7 zOS Authorisation exit question
Hello,

We are facing a problem with RACF security in DB2.
We are running DB2 V7.1 on zOS 1.4.
When a user logs on to TSO, we connect this user to a group to be able to
update DB2 tables, he starts SPUFI or QMF, he can not update the tables.
When this user logs off and on again, he can update the tables.
When we disconnect this user from this group, he still can update the
tables until he logs off and on again.

It seems the exit only "sees" the initial "RACF-list" and not the updates
during his session. A RACF refresh does not help.

In my opinion, the change to RACF should be active immediately (as is in
TSO).

Does anyone know if my assumption is correct and (even better) a solution
to make it work as I think it should?

Thanks in advance,

Peter Verbeek
Reply With Quote
  #2 (permalink)  
Old 02-08-05, 17:55
jacampbell jacampbell is offline
Registered User
  
Join Date: Jan 2005
Posts: 191
Based on what you've described I think you are using the exit called the "connection exit" - which is only invoked during connection. If you wade through the code for the sample exit (I presume you've replaced the default exit by the sample exit) you'll see that it actually copies RACF group names into a DB2 specific data area. It is that DB2 data area, not a RACF data area, that is used by DB2 for authorization processing. This is why RACF updates do not immediately affect DB2. (The reason the exit works this way is to provide a generic interface, usable by ACF-2 etc, and hence not violate IBM's Consent Decree of 1956.)

If you want to DB2 to behave the way you "think it should" you'll have to convert to the Access control authorization exit. (http://publibz.boulder.ibm.com/cgi-b.../APPENDIX1.2.2)

James Campbell
Reply With Quote
  #3 (permalink)  
Old 02-09-05, 07:17
PeerkeV PeerkeV is offline
Registered User
  
Join Date: Feb 2005
Posts: 6
Thanks James,

Maybe you saw this already in DB2-L, but maybe for other persons:

Our problem can not be solved easily.
We raised a PMR with IBM.
We use the standard connection exit with list of groups option.
The main problem is (according IBM):
RACF doesn't appear to support SETROPTS ... REFRESH for GRPLIST. So
you can't dynamically refresh the list of groups which a user is
connected to. The only way to refresh the list is to logoff/logon to
build a new ACEE.

I asked if a tool is available to achieve the same thing.
"No. We could send a FITS Design Change Requirement to the RACF Lab for
them to consider this for a future release."

I asked to send this FITS.

Thread can be closed.
Last edited by PeerkeV; 02-09-05 at 07:20.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 
 
 
Home  |   Register  |   Get New  |   FAQ's  |   Sitemap

Powered by vBulletin
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.