Setting metadata store access permissions

Permission hierarchy of DBB objects

Users set access permissions on the metadata store high-level objects that are stored in the DBB database. These permissions also control the access permissions of the enclosed objects. The hierarchy is as follows:

High-level object Enclosed objects
Collection Logical files
Build result Attachments
Build reports
Properties

Setting access permissions to DBB objects

Three fields on a DBB high-level object can be used to control access permissions to DBB objects: Owner, Team, and Permission. Use these fields when you create or modify high-level objects in the database.

Field Explanation
Owner The owner of the object. Ownership of a DBB object defaults to the user who creates the object.
Team A team is a RACF group that is used to assign authority rights to groups of users. The team field defaults to null or empty, meaning that no team is assigned.
Permission The three levels of read/write access to the object. You set authority by using a three-digit octal number.
  • The first octal digit represents the authority that is granted to the owner.
  • The second octal digit represents the authority that is granted to the team.
  • The third octal digit represents the authority for everyone else.
Each digit can have the following values: 2 means write access, 4 means read access, and 6 means read and write access.
The default permission is 0664, meaning that the owner has read and write permission, the team has read and write permission, and other users have read permission.
NOTE: In Java™ or Groovy, octal constants are represented with a leading zero (0664). The permission bit pattern is validated against 0666. If any permission bit is set outside of this bit pattern, the build will fail.

Granting roles to users

You must assign one of the following roles to each DBB user by connecting individual users or groups to the listed RACF groups. These three roles are defined by DBB to control user authority to read and write DBB objects.

Role
(RACF group)		 Access permission
DBBADMNS Has full control and authority over all DBB objects regardless of access permissions settings. See Setting access permissions to DBB objects.
DBBUSERS Has authority over DBB objects based on object's settings of owner, team, and permission.
Example:
If user A matches the owner field set for a DBB object, the user is granted authority to the object according to the first octal digit of the permission field that is set for the object.
Otherwise, if the user belongs to a team, that is, a RACF group, the user's authority to a DBB object is evaluated based on two fields set for the object: the team field and the second octal digit of the permission field. Only if the user is connected to the RACF group listed in the team field for the object, the second permission digit applies to this user.
If the user is not the owner or a member of the team (or team is not set), then the third permission digit applies.
DBBGUEST Only has authority to read DBB objects if the third octal digit of the permission setting for the object has read enabled.

Defining DBB RACF groups

For DBB to recognize a user's connection to a RACF group, the group must have an OMVS group ID. When you define the default DBB RACF groups from the table above or when you define your own groups for the DBB user roles (see Mapping RACF groups to roles), you must include an OMVS group ID on the group definition. For example:

ADDGROUP DBBADMNS OMVS(GID(<group id>))

Once the group is defined, the user must be connected to the group.

CONNECT <admin user> GROUP(DBBADMNS)

See the sample jcl, /usr/lpp/IBM/dbb/conf/BGZRACF.jcl, for how to create groups and connect members.

Mapping RACF groups to roles

DBB has three roles: DBBADMNS, DBBUSERS, and DBBGUEST. In DBB 2.0, DBB required that RACF groups that matched the role names were defined. In DBB 2.0.1 and later, a database mapping table can be used to map one or more existing RACF groups to a DBB role. By default, the mapping is one to one and the role equals the RACF group to maintain consistency with DBB 2.0. These mappings can be replaced and others can be added as necessary.

NOTE: All the users that run DBB scripts that access the Db2 metadata store should only be granted SELECT authority to the DBB_ROLE_MAPPING table to maintain integrity of the mapping. Administrators that add and remove roles to RACF mappings should be granted DELETE, INSERT, SELECT, UPDATE authority to the DBB_ROLE_MAPPING table.

Use the following command to add a DBB role to RACF mappings. Each row in the table represents a mapping and there can be more than one mapping per role. The DBB_ROLE column must be one of the DBB roles: DBBADMNS, DBBUSERS, and DBBGUEST. Any other value will be ignored.

SET SCHEMA DBBZ; 
INSERT INTO DBB_ROLE_MAPPING (DBB_ROLE, RACF_GROUP)
  VALUES ('DBBADMNS', '<racfgroup>');

Database user versus DBB user

Access to the data in the DBB database can be controlled in two ways:

  • Database user: Access for connecting to the DBB database, which is typically associated with a technical user ID (that is, a generic account for technical purposes that is not tied to a specific user). This is configured by using Db2 user IDs and by granting users access to the database tables.
  • DBB user: Access for running DBB APIs and accessing DBB metadata information, which can be associated with a technical user ID, as well as with developers’ user IDs. This is configured by using DBB roles and permissions.

The database connection user ID and the DBB user ID can be the same user ID or can be different. In some cases, the same user ID can be used, for instance, if the technical user ID that connects to the Db2 metadata store is the same as the user ID that runs the CI/CD pipeline.

If a shared user ID is used for the database connection, each DBB user uses the same database user ID to connect to the database, and the database operations will be performed by using that shared user ID and its database permissions. If each user uses their own user ID for the database connection, then each user must be granted authority to read/write to the database depending on their role. In either case, the DBB roles and permissions will apply to the DBB user that is running the DBB script or DBB CLI.

Database connection

For the database connection, you must configure properties to log in to the database. The user ID that is used for the database connection must be granted permission to the database tables. Before DBB 2.0, DBB used a database connection through a Liberty server configuration. This generally meant using a Db2 instance ID or a technical user ID to connect to the database.

From DBB 2.0 onwards, you can continue to use Db2 instance or technical IDs to connect to the database and share this database connection user with additional users or you can require that each user connect to the database. For this second solution, you must grant each user access to the database tables depending on their need such that administrators and pipeline users have read and write access, while a developer role is limited to at least read access. Each user must also create a password file for their own password. If you use only Db2 instance and technical IDs, only the instance and technical IDs must be granted read and write access to the tables.

DBB users and roles

Regardless of the user ID used for the Db2 connection, each user ID that runs a script through the DBB API or the CLI and that accesses the DBB metadata store through the Db2 metadata store implementation must have a DBB role assigned. This is performed by connecting the user ID to the DBB RACF groups (See Granting roles to users).

If a user ID is not assigned a role, the following error is raised:
Caught: com.ibm.dbb.build.BuildException: com.ibm.dbb.build.BuildException: BGZTK0148E User, DBBUSER1, is not assigned a defined DBB Role.

Users that must maintain the pipelines, builds, and are developing scripts for the pipelines may need to have DBBADMNS role so they can determine pipeline integrity or diagnose issues with the pipeline and communicate with customer support.

The service accounts that are used to run pipeline builds should be connected to the DBBUSERS role. End users, like developers with a need to browse the collections or the build history, should have only read access provided through the DBBGUEST role.

DBB team attribute

Additional to the DBB role assignment, the DBB team attribute of the metadata store high-level objects provides a way to maintain control and authority on each collection and build result.

For example, project A collections and build results have the team attribute set to TEAM_A. Project B collections and build results have the team attribute set to TEAM_B.

If a user works on project A and should only have access to the data in this context, this user can be assigned the DBBUSERS role and at the same time be connected to RACF group TEAM_A. In this way, the user is limited to seeing only collections and build results that are related to project A.

If a user works on both projects A and B, this user can be connected to both RACF groups TEAM_A and TEAM_B and be assigned the DBBUSERS role.