DB2 for i

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Row and Column Access Control
A Deeper Look

Mike Cain
Rochester, MN USA

2016 IBM Corporation

Concerns over data security continue to haunt organizations,

with the vast majority of global companies indicating they feel
vulnerable to data threats.

The worry is justified, according to a new study, as too many

organizations focus on compliance ahead of breach prevention;
and invest in technologies that do not prevent data breaches.

Among the studys findings:

63% of U.S. respondents believe privileged users are the most dangerous insiders,
up from 59% last year and almost 2X the number of 2013

Information Management article Majority of Global Organizations Feel Vulnerable to Data Threats by David Weldon February 16, 2016
http://www.information-management.com/news/security/majority-of-global-organizations-feel-vulnerable-to-data-threats-10028266-1.html

2016 IBM Corporation

 IBM DB2 for i Technical Forun - Lima, Peru - May 2016
is the domain of Business, not IT.

Business defines the rules.

IT implements the rules.

2016 IBM Corporation

When it comes to the database management system,

the job must include two components:

2016 IBM Corporation

 IBM DB2 for i Technical Forun - Lima, Peru - May 2016
2014 IBM Corporation

Obvious Best Practices

1. Do not carry the data element(s) unnecessarily

Proper relational modeling accomplishes this

2. Protect data element(s) first with object level authority

Avoid program, application or menu based security schemes

2014 IBM Corporation

First Area of Focus

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

PII Personal Identifiable Information

2014 IBM Corporation

User IBM i
Table
Security

2014 IBM Corporation

 2014 IBM Corporation
2014 IBM Corporation

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

 The Problem

IBM i
Table

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Security
Access: ALL or NOTHING

No easy way to restrict access to a specific set of rows or column values

Government regulations and corporate policies aggressively pushing IT

to restrict user/application access to sensitive data

A Solution.

Row and Column Access Control (RCAC)

2014 IBM Corporation

What is RCAC?
Additional layer of data security Not treated equally
available with DB2

Complementary to table
level security

Subsetting access to only the

required data for a task
Controls access to a table at the
row, column, or both
Two sets of rules
Permissions for rows
Masks for columns

Delivered with IBM Advanced Data

Security for i feature
No-charge feature
Option 47
2014 IBM Corporation
 How can we ensure
Why Use RCAC? that managers only
see data for their
own employees?
Currently, data access is restricted with
application logic or logical views

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

How can we How can we ensure
separate roles? that PII columns are
masked out for
Users with direct access to DB2 unauthorized users?
objects can bypass these layers
Example: Users with *ALLOBJ
authority can still view all data User with
*ALLOBJ access

DB2 RCAC enables all data access

to be controlled at the row/column level
Set up rich security policies
Prevents security administrators
(*ALLOBJ or *SECADM) from
accessing all data in a database
No dependency on application logic
Allows for column data masking
Facilitates table level multi-tenancy

2014 IBM Corporation

Result Set Actual Set

Row01 RED
Row02 BLUE
User1 ? Row03 BLUE
Row04 RED
Row05 GREEN
Row06 RED
User2 ? Row07 BLUE
Row08 BLUE
SELECT * Row09 GREEN
FROM A_SET; Row10 GREEN
Row11 GREEN
User3 ? Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
User4 ? Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation
 Result Set Actual Set
Row02 BLUE Row01 RED
Row03 BLUE Row02 BLUE
User1

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Row07 BLUE Row03 BLUE
Row08 BLUE Row04 RED
Row05 GREEN
Row01 RED Row06 RED
User2 Row04 RED Row07 BLUE
Row06 RED Row08 BLUE
Row09 GREEN
Row10 GREEN
Row13 WHITE Row11 GREEN
User3
Row15 WHITE Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
User4 Empty Set Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation

Actual Set
Row01 RED
Row02 BLUE
Row03 BLUE
Row04 RED
Row05 GREEN
Row Permission Row06 RED
Row07 BLUE
WHERE (CURRENT_USER = USER1
AND COLOR = BLUE)
Row08 BLUE
OR (CURRENT_USER = USER2 DB2 Row09 GREEN
AND COLOR = RED) RCAC Row10 GREEN
OR (CURRENT_USER = USER3
Row11 GREEN
AND COLOR = WHITE)
Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation
 Result Set Actual Set
Row02 BLUE Row01 RED
Row03 BLUE Row02 BLUE
User1

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Row07 BLUE Row03 BLUE
Row08 BLUE Row04 RED
Row05 GREEN
SELECT * Row06 RED
FROM A_SET Row07 BLUE
WHERE (CURRENT_USER = USER1
AND COLOR = BLUE)
Row08 BLUE
OR (CURRENT_USER = USER2 DB2 Row09 GREEN
AND COLOR = RED) RCAC Row10 GREEN
OR (CURRENT_USER = USER3
Row11 GREEN
AND COLOR = WHITE)
; Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
User4 Empty Set Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation

Result Set Actual Set

Row02 BLUE Row01 RED
Row03 BLUE Row02 BLUE
User1
Row07 BLUE Row03 BLUE
Row08 BLUE Row04 RED
Row05 GREEN
SELECT * Row06 RED
FROM A_SET Row07 BLUE
WHERE (CURRENT_USER = USER1
AND COLOR = BLUE)
Row08 BLUE
OR (CURRENT_USER = USER2 Row09 GREEN
AND COLOR = RED) Row10 GREEN
OR (CURRENT_USER = USER3
Row11 GREEN
AND COLOR = WHITE)
; Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
User4 Empty Set Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation
 Actual Set
Row01 RED
Row02 BLUE

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Row03 BLUE
Row04 RED
Row05 GREEN
Column Mask Row06 RED
Row07 BLUE
CASE
WHEN CURRENT_USER = USER1
Row08 BLUE
******** DB2 Row09 GREEN
ELSE RCAC Row10 GREEN
COLOR
Row11 GREEN
END
Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation

Result Set Actual Set

Row02 ******** Row01 RED
Row03 ******** Row02 BLUE
User1
Row07 ******** Row03 BLUE
Row08 ******** Row04 RED
Row05 ******** Row05 GREEN
SELECT *
FROM A_SET
Row09 ******** Row06 RED
ORDER BY COLOR; Row10 ******** Row07 BLUE
Row11 ******** Row08 BLUE
Row12 ******** DB2 Row09 GREEN
Row14 ******** RCAC Row10 GREEN
Row16 ******** Row11 GREEN
Row17 ******** Row12 GREEN
Row18 ******** Row13 WHITE
Row01 ******** Row14 GREEN
Row04 ******** Row15 WHITE
Row06 ******** Row16 GREEN
Row13 ******** Row17 GREEN
Row15 ******** Row18 GREEN
2016 IBM Corporation
 Result Set Actual Set
Row02 ******** Row01 RED
Row03 ******** Row02 BLUE
User1

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Row07 ******** Row03 BLUE
Row08 ******** Row04 RED
SELECT ROW_NAME, Row05 ******** Row05 GREEN
CASE Row09 ******** Row06 RED
Row10 ********
WHEN CURRENT_USER = USER1 Row07 BLUE
******** Row11 ******** Row08 BLUE
ELSE Row12 ******** DB2 Row09 GREEN
COLOR Row14 ******** RCAC Row10 GREEN
END
Row16 ******** Row11 GREEN
FROM A_SET;
Row17 ******** Row12 GREEN
Row18 ******** Row13 WHITE
Row01 ******** Row14 GREEN
Row04 ******** Row15 WHITE
Row06 ******** Row16 GREEN
Row13 ******** Row17 GREEN
Row15 ******** Row18 GREEN
2016 IBM Corporation

Result Set Actual Set

Row02 ******** Row01 RED
Row03 ******** Row02 BLUE
User1
Row07 ******** Row03 BLUE
Row08 ******** Row04 RED
Row05 GREEN
SELECT ROW_NAME,
CASE
Row06 RED
WHEN CURRENT_USER = USER1 Mask Row07 BLUE
********
ELSE
Row08 BLUE
COLOR DB2 Row09 GREEN
END
FROM A_SET RCAC Row10 GREEN
WHERE (CURRENT_USER = USER1 Row11 GREEN
AND COLOR = BLUE)
OR (CURRENT_USER = USER2 Permission Row12 GREEN
AND COLOR = RED) Row13 WHITE
OR (CURRENT_USER = USER3
AND COLOR = WHITE)
Row14 GREEN
; Row15 WHITE
Row13 WHITE Row16 GREEN
User3
Row15 WHITE Row17 GREEN
Row18 GREEN
2016 IBM Corporation
 IBM DB2 for i Technical Forun - Lima, Peru - May 2016
2016 IBM Corporation

IBM Advanced Data Security for i (OS Option 47)

Option 47 must be installed to:
CREATE PERMISSION and CREATE MASK (RCAC)
Open a table/file that has RCAC activated

Integration

RCAC is applied after checking object authorization requirements

Once passed the object authorization check:
Row permissions can limit the set of rows accessed
Column masks limit viewing of column data
RCAC definition exist within the table object
When ENABLED & ACTIVATED, RCAC is automatically applied by DB2
RCAC is comprehensive and applies to any interface
(Native RLA, SQL, APIs, Commands, etc.)
Only users with QIBM_DB_SECADM authority can manage RCAC
Separation of roles and responsibilities
2014 IBM Corporation
RCAC terminology

Base Table The table (physical file) containing business critical data.

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Dependent Object Any schema, table, function, or other object the
permission or mask references.

Permission Defines a row access control rule, for rows in a table by

using an SQL search condition or logic that must be
passed to access the row

0 to many permissions allowed per table

Mask Defines a column access control rule, for a specific
column in a table by using an SQL CASE expression
that describes what values or mask a user is permitted
to see and under what conditions

0 or 1 masks allowed per column

RULETEXT Expression to be used by the permission (WHERE
clause predicates) or mask (selection CASE expression)

2014 IBM Corporation

Special registers similar names, different purposes

Special Register Definition

SYSTEM_USER The authorization ID that initiated the connection is returned.

USER The effective user of the job or thread is returned.

or
SESSION_USER

CURRENT USER The most recently adopted authorization ID within the job or
or thread will be returned.
CURRENT_USER
When no adopted authority has occurred,
the effective user of the job or thread is returned.

2016 IBM Corporation

CURRENT_USER special register + VERIFY_GROUP_FOR_USER

The CURRENT USER special register specifies the primary authorization ID

that is being used for statement authorization.

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

VERIFY_GROUP_FOR_USER function returns true (1) or false (0) by testing if
the user specified in is the group (i.e. a member of a group profile)

SELECT CURRENT_USER FROM SYSIBM.SYSDUMMY1;

CREATE MASK SSN_MASK ON EMPLOYEE

FOR COLUMN SSN RETURN
CASE
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'PAYROLL') = 1)
THEN SSN
WHEN (VERIFY_GROUP_FOR_USER(CURRENT_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)
ELSE NULL
END
ENABLE;

2016 IBM Corporation

2014 IBM Corporation

Row and Column Access Control (RCAC)

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

CREATE PERMISSION <permission name>

ON <table name>

FOR ROWS

WHERE <logic to test user and/or group and/or column value(s)>

ENFORCED FOR ALL ACCESS

ENABLE;

ALTER TABLE <table name>

ACTIVATE ROW ACCESS CONTROL;

Row and Column Access Control (RCAC)

CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION

ON HOSPITAL.PATIENT_TABLE

FOR ROWS

WHERE ((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1
AND HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER)
OR VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1
OR VERIFY_GROUP_FOR_USER(SESSION_USER,RESGROUP') = 1)

ENFORCED FOR ALL ACCESS

ENABLE;

ALTER TABLE HOSPITAL.PATIENT_TABLE

ACTIVATE ROW ACCESS CONTROL;

 IBM DB2 for i Technical Forun - Lima, Peru - May 2016
Row and Column Access Control (RCAC)

CREATE MASK <mask name>

ON <table name>

FOR COLUMN <column name> RETURN

CASE
<logic to test user and/or group and/or column value(s)>
<logic to mask or return column value>
END

ENABLE;

ALTER TABLE <table name>

ACTIVATE COLUMN ACCESS CONTROL;

Row and Column Access Control (RCAC)

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

CREATE MASK SSN_MASK

ON EMPLOYEE

FOR COLUMN SSN RETURN

CASE
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSN
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)
ELSE NULL
END

ENABLE;

ALTER TABLE EMPLOYEE

ACTIVATE COLUMN ACCESS CONTROL;

Determine if RCAC is defined and enabled for a table or file

DSPOBJAUT command (only appears if you have QIBM_DB_SECADM)

Query new QSYS2/SYSCONTROLS catalog

IBM i Navigator

Column Mask/Row Permission under Schemas

Right click on table Definition

2014 IBM Corporation

 Save/Restore with RCAC

Tables which contain enabled RCAC permissions or masks can be

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

saved, and can be restored regardless of whether option 47 is installed
However if the option is not installed, permissions and masks cannot
be created and tables, views, or indexes cannot be accessed which
contain active permissions or masks
Cannot save with previous release option

2014 IBM Corporation

RCAC and Triggers

Triggers are used for data-centric processing to extend a transaction
RCAC controls are used for securing business critical data
Enabled row permissions and column masks are not applied to the initial values of
transition variables or to transition tables referenced in the trigger body
The trigger program has access to unprotected data

Secure triggers for row and column access control:

To balance the needs of integrity and security
The trigger must be created or altered to have the SECURED attribute

If a trigger is not secure, RCAC cannot be activated for the target table

> ALTER TABLE EMPLOYEE ACTIVATE ROW ACCESS CONTROL

2014 IBM Corporation

 RCAC and Functions
Function invocations are allowed within RCAC rules and provide the ability to
create more complex and modularized RCAC rule text logic

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

This additional capability adds a level of complexity for the security administrator
because the function must be reviewed and approved

Secure functions referenced by row and column access control:

To balance the need of complex rule logic and security
The function must be created or altered to have the SECURED attribute
If a function is not secure, the permission or mask cannot be enabled

> ALTER PERMISSION employee_perm1 ENABLE

2014 IBM Corporation

Generate SQL and RCAC definitions

If running with the latest Navigator client, a

new option is checked by default:

Associated row and column access controls

When used, the associated RCAC SQL

statements are generated along with the table
creation statements

RCAC definitions can be reverse engineered

RCAC definitions cannot be altered

2016 IBM Corporation

 RCAC Restrictions

All data access interfaces and methods are subject to RCAC

IBM DB2 for i Technical Forun - Lima, Peru - May 2016

Opening a file with RCAC enabled involving any of the following is not allowed:
A logical file with multiple formats if the open attempt is for more than one format
A distributed file
Generic failure preceded by
A file with read triggers CPD43A4 diagnostic
A program described file
A file or query that specifies an ICU 2.6.1 sort sequence

Using SQL to query a table RCAC enabled involving any of the following is not allowed:
A distributed table
A table with read triggers
A table or query that specifies an ICU 2.6.1 sort sequence
A query involving more than 1000 unique partitions or members for a read only open
(or more than 256 when open for update)
SQLCODE -20478
(aka SQ20478)

2016 IBM Corporation

Education and consulting resources:

Step 1
RCAC Redpaper:
http://www.redbooks.ibm.com/redpieces/pdfs/redp5110.pdf

Step 2
DB2 for i Row and Column Access Control Consulting Workshop
contact Mike Cain mcain@us.ibm.com

2016 IBM Corporation

 2014 IBM Corporation
Questions?

IBM DB2 for i Technical Forun - Lima, Peru - May 2016