A fix is available
APAR status
Closed as program error.
Error description
Currently, if a user sets 'GRANT on DB2 Catalog Tables' in Tools Customizer to 'Y', and specifies the grantees, then these grantees (including PUBLIC) are granted SELECT access to all Db2 Catalog Tables, including those which contain records of privileges (such as SYSIBM.SYS*AUTH), and those which might contain userid and password details (such as SYSIBM.USERNAMES). This APAR allows the GRANTS to these two types of tables to be given to a different list of userids (and so not to include PUBLIC) by adding the following two parameters to the TCz Product Parameters and Db2 Subsystem panels: GRANT SELECT on xxxAUTH tables to _________________ (list of authids, blank, or PUBLIC) GRANT ALL on the CDB tables to . . . . _________________ (list of authids or blank) Also, for clarity, the existing parameter (which now follows the two new ones), has been updated to read as follows: GRANT SELECT ON remaining tables TO . . ______________
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: Users of DB2 Administration Tool for z/OS * * and IBM Tools Customizer for z/OS. * **************************************************************** * PROBLEM DESCRIPTION: Tools Customizer generated job template * * ADBSETUP shows 'GRANT SELECT ON * * TABLE SYSIBM.USERNAMES TO PUBLIC', * * which is not recommended for CDB * * tables, due to sensitive information * * they contain, such as account IDs and * * password details. * **************************************************************** Add two Tools Customization parameters to better manage GRANT SELECT ON TABLE SYSIBM.xxxAUTH and CDB tables (e.g., SYSIBM.USERNAMES) referenced in generated job template ADBSETUP: GRANT ALL ON CDB tables TO . . . . . . . ______________ GRANT SELECT ON xxxAUTH tables TO . . . __________
Problem conclusion
Problem has been resolved.
Temporary fix
Comments
APAR Information
APAR number
PH11845
Reported component name
DB2 ADMIN TOOL
Reported component ID
568851500
Reported release
C10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-05-07
Closed date
2019-08-08
Last modified date
2019-09-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI64658
Modules/Macros
ADB$$PRM ADB2CUST ADBCUST ADBSETUP
Fix information
Fixed component name
DB2 ADMIN TOOL
Fixed component ID
568851500
Applicable component levels
RC10 PSY UI64658
UP19/08/10 P F908
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCVQTD","label":"IBM Db2 Administration Tool for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.1.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
01 September 2019