Education
Abstract
IBM Db2 LUW Federation Server can federate to various kinds of data source, such as relational databases, non-relational databases and flat file etc. For relational database, there are different levels of security control and one of them is RCAC (Row and Column Access Control). This article tries to explain what RCAC is and how to configure and enable RCAC with example. And finally this article will explain how RCAC works in federation server and how to federate to the data source with RCAC enabled.
Content
What is RCAC
- Row permission
- A row permission is a database object that expresses a row access control rule for a specific table.
- A row access control rule is an SQL search condition that describes what set of rows a user has access to.
- Column mask
- A column mask is a database object that expresses a column access control rule for a specific column in a table.
- A column access control rule is an SQL CASE expression that describes what column values a user is permitted to see and under what conditions.
- RCAC provides data oriented protection, so no database user is inherently exempted from the row and column access control rules. This means no matter who needs to read data from the protected table the RCAC rules will be examined. Only users with security administrator (SECADM) authority can manage row and column access controls within a database.
- With the data oriented protection, the RCAC applies to all kind of applications, tools etc. which access the table data.
- No application changes are required to take advantage of this additional layer of data security.
For more details of the RCAC please refer to this https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html.
How to setup and enable RCAC
- Create a new database.
- Create table and roles.
CREATE ROLE PCP
GRANT ROLE PCP TO USER DASUSR1
CREATE ROLE PATIENT
GRANT ROLE PATIENT TO USER SESSIONUSER1
-- Create table:
GRANT SELECT, UPDATE ON TABLE PATIENT TO ROLE PCP
GRANT SELECT ON TABLE PATIENT TO ROLE PATIENT
INSERT INTO PATIENT VALUES('123-55-1234', 'MAX', 'Max', 'First Strt', 'hypertension', 89.70,'LEE')
INSERT INTO PATIENT VALUES('123-58-9812', 'MIKE', 'Mike', 'Long Strt', null, 8.30,'JAMES')
INSERT INTO PATIENT VALUES('123-11-9856', 'SAM', 'Sam', 'Big Strt', null, 0.00,'LEE')
INSERT INTO PATIENT VALUES('123-19-1454', 'DUG', 'Dug', 'Good Strt', null, 0.00,'JAMES')
- Create row permission and column masks.
CREATE PERMISSION ROW_ACCESS1 ON PATIENT FOR ROWS WHERE (VERIFY_ROLE_FOR_USER(SESSION_USER,'PATIENT') = 1 AND
CREATE PERMISSION ROW_ACCESS2 ON PATIENT FOR ROWS WHERE (VERIFY_ROLE_FOR_USER(SESSION_USER,'PCP') = 1) ENFORCED FOR
ALTER TABLE PATIENT ACTIVATE ROW ACCESS CONTROL
COLUMN ACCT_BALANCE RETURN
CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,'PATIENT') = 1
THEN ACCT_BALANCE
WHEN VERIFY_ROLE_FOR_USER(SESSION_USER, 'PCP') = 1
THEN 1.00
ELSE 0.00
END
ENABLE
ALTER TABLE PATIENT ACTIVATE COLUMN ACCESS CONTROL
----------- ------------------ ---------- --------------- --------------------- ---------------------- ------------------
123-55-1234 MAX Max First Strt hypertension 89.70 LEE
123-58-9812 MIKE Mike Long Strt - 8.30 JAMES
123-11-9856 SAM Sam Big Strt - 0.00 LEE
123-19-1454 DUG Dug Good Strt - 0.00 JAMES
SELECT * FROM DB2INST1.PATIENT
----------- ------------------ ---------- --------------- --------------------- ---------------------- ------------------
----------- ------------------ ---------- --------------- --------------------- ---------------------- ------------------
123-55-1234 MAX Max First Strt hypertension 1.00 LEE
123-58-9812 MIKE Mike Long Strt - 1.00 JAMES
123-11-9856 SAM Sam Big Strt - 1.00 LEE
123-19-1454 DUG Dug Good Strt - 1.00 JAMES
How RCAC impact federation nickname query
CREATE USER MAPPING FOR USER SERVER RCAC_SERVER1 OPTIONS (REMOTE_AUTHID 'SESSIONUSER1', REMOTE_PASSWORD '******')
CREATE NICKNAME NPATIENT FOR RCAC_SERVER1.DB2INST1.PATIENT
SELECT * FROM NPATIENT
----------- ------------------ ---------- --------------- --------------------- ---------------------- ------------------
DROP USER MAPPING FOR USER SERVER RCAC_SERVER1
CREATE USER MAPPING FOR USER SERVER RCAC_SERVER1 OPTIONS (REMOTE_AUTHID 'DASUSR1', REMOTE_PASSWORD 'LANLAN!123')
CREATE NICKNAME NPATIENT2 FOR RCAC_SERVER1.DB2INST1.PATIENT
SELECT * FROM NPATIENT2
----------- ------------------ ---------- --------------- --------------------- ---------------------- ------------------
123-55-1234 MAX Max First Strt hypertension 1.00 LEE
123-58-9812 MIKE Mike Long Strt - 1.00 JAMES
123-11-9856 SAM Sam Big Strt - 1.00 LEE
123-19-1454 DUG Dug Good Strt - 1.00 JAMES
Column name schema Data type name Length Scale Nulls
------------------------------- --------- ------------------- ---------- ----- ------
SSN SYSIBM CHARACTER 11 0 Yes
USERID SYSIBM VARCHAR 18 0 Yes
NAME SYSIBM VARCHAR 128 0 Yes
ADDRESS SYSIBM VARCHAR 128 0 Yes
PHARMACY SYSIBM VARCHAR 250 0 Yes
ACCT_BALANCE SYSIBM DECIMAL 12 2 Yes
PCP_ID SYSIBM VARCHAR 18 0 Yes
Summary
Original Publication Date
09 August 2019
Product Synonym
Db2, DB2 LUW, DB2 LUW BigSQL
Was this topic helpful?
Document Information
Modified date:
09 August 2019
UID
ibm10967077