Beruflich Dokumente
Kultur Dokumente
Mike Cain
Rochester, MN USA
63% of U.S. respondents believe privileged users are the most dangerous insiders,
up from 59% last year and almost 2X the number of 2013
Information Management article Majority of Global Organizations Feel Vulnerable to Data Threats by David Weldon February 16, 2016
http://www.information-management.com/news/security/majority-of-global-organizations-feel-vulnerable-to-data-threats-10028266-1.html
User IBM i
Table
Security
IBM i
Table
A Solution.
What is RCAC?
Additional layer of data security Not treated equally
available with DB2
Complementary to table
level security
Actual Set
Row01 RED
Row02 BLUE
Row03 BLUE
Row04 RED
Row05 GREEN
Row Permission Row06 RED
Row07 BLUE
WHERE (CURRENT_USER = USER1
AND COLOR = BLUE)
Row08 BLUE
OR (CURRENT_USER = USER2 DB2 Row09 GREEN
AND COLOR = RED) RCAC Row10 GREEN
OR (CURRENT_USER = USER3
Row11 GREEN
AND COLOR = WHITE)
Row12 GREEN
Row13 WHITE
Row14 GREEN
Row15 WHITE
Row16 GREEN
Row17 GREEN
Row18 GREEN
2016 IBM Corporation
Result Set Actual Set
Row02 BLUE Row01 RED
Row03 BLUE Row02 BLUE
User1
Integration
Base Table The table (physical file) containing business critical data.
CURRENT USER The most recently adopted authorization ID within the job or
or thread will be returned.
CURRENT_USER
When no adopted authority has occurred,
the effective user of the job or thread is returned.
ON <table name>
FOR ROWS
ENABLE;
ON HOSPITAL.PATIENT_TABLE
FOR ROWS
WHERE ((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1
AND HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER)
OR VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1
OR VERIFY_GROUP_FOR_USER(SESSION_USER,RESGROUP') = 1)
ENABLE;
ON <table name>
CASE
<logic to test user and/or group and/or column value(s)>
<logic to mask or return column value>
END
ENABLE;
ON EMPLOYEE
CASE
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)
THEN SSN
WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)
THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)
ELSE NULL
END
ENABLE;
If a trigger is not secure, RCAC cannot be activated for the target table
Using SQL to query a table RCAC enabled involving any of the following is not allowed:
A distributed table
A table with read triggers
A table or query that specifies an ICU 2.6.1 sort sequence
A query involving more than 1000 unique partitions or members for a read only open
(or more than 256 when open for update)
SQLCODE -20478
(aka SQ20478)
Step 2
DB2 for i Row and Column Access Control Consulting Workshop
contact Mike Cain mcain@us.ibm.com