Question & Answer
Question
Should I use the traditional DB2 security or RACF access control?
Answer
There are significant policy and people implications when using RACF® access control. If you want database administrators to manage security, then integration with DB2® is very important. If you want security administrators to manage security, then integration with the security server, and the ability to have separate security and database administration, are more important. The change to RACF access control causes roles and authorities to change. Converting to RACF from DB2 security is not a completely compatible change. Authority based on secondary IDs, such as BINDAGENT, requires a new technique under RACF. There are some situations where DB2 access control must be used. Version 8 of DB2 removed one situation where DB2 GRANT was needed, for DB2 commands.
Plan to use RACF facilities in a similar manner to groups and patterns. The implementation team requires both DB2 and RACF knowledge for implementation. If you want a security group to define authorization and provide a centralized security control point, then RACF access control is a match. As you implement RACF, plan to use security access patterns instead of access authorities on individual items.
In the DB2 Administration Guide, the appendix, "Writing Exit Routines," has a section titled, "Access control authorization exit routine," that includes a sub-section titled, "Is this exit routine right for you?" This section provides more detailed information on exit routines. You can also view the RACF presentation, "Protect Your Assets," by clicking on the link below in the "Related information" section. The RACF Access Control Module Guide has guidance on the implementation which can affect your choice. For more information, see DB2 books and the RACF presentations Web site.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21030283