Skip to main content

Servers   >   Mainframe servers   >   z/OS   >  

Downloads

RACF DB2 migration tool using RXSQL

This utility converts the contents of the SYSIBM.SYSxxxAUTH tables to equivalent RACF profiles. The RACF profiles are used in conjunction with the RACF-provided DB2 Access Control Exit.

In order to run the utility, you must have SELECT authority to every SYSIBM.SYSxxxAUTH table. In order to execute the CLIST generated by the utility you must have either:

  • the SPECIAL attribute, or
  • Class Authority (CLAUTH) to all applicable classes AND you must be the OWNER of the new profiles or the OWNER must be within the scope of a group to which you have Group-Special.

The utility requires RXSQL be installed. RXSQL is a licensed product of IBM and is an add-on for REXX/TSO. RXSQL contains a plan which must be bound to the DB2 subsystem. The default name for this plan is RXSQL. If the plan is bound under a different name, you must update the RXSADM and RXSRES execs to change the line RXSQL_DB2PLAN = 'RXSQL' to the appropriate value.

The utility consists of one exec and one set of JCL. The JCL is member JCL, and the EXEC is RACFDB2, all within this dataset. The EXEC generates RACF commands to the datasets defined in the JCL by the DD cards 'CLIST' and 'OPTCLST'. The JCL contains examples of the DD cards if they already exist or if they need to be created. You must comment out the ones that are not appropriate.

The utility does not execute any RACF commands, it only generates them and writes them to the CLIST and OPTCLST DD name.

The utility operates by:

  1. Finding all privileges or resources which must be protected and generating RDEF commands for those. Note that AUDIT(ALL(READ)) is generated for all commands for DB2 administrative authorities.
  2. Determining whether the privileges or resources were granted to PUBLIC and changing the UACC to READ in this case. Note the author does not check for PUBLIC being granted with the GRANT option.
  3. Determine all authorization ids without GRANT and generates a PERMIT with ACCESS(READ).
  4. Determine all authorization ids with GRANT and generates a PERMIT with ACCESS(ALTER). Since the profiles are generally discrete, ALTER access gives the ability to 'grant' others access.

The utility does NOT use the grouping classes. We recommend that you evaluate the possibility of combining profiles into grouping profiles to ease administration. However, we could not determine any algorithm to use to evaluate the possibility. We considered combining profiles where the current GRANTs were identical, but decided that it may not remain in that manner. While one organization would grant SYSCTL and SYSOPR to the same userids, another may not. And what profile name would the utility generate if it did combine SYSCTL and SYSOPR?

The OPTCLST is optional. DB2 does not provide the database name when invoking the DB2 external security module for DROP INDEX and ALTER INDEX. The external security module, therefore, can not use the normal naming convention to determine if an authorization ID has the ability to DROP an index due to DBADM. Instead the external security module uses a DBADM profile with no database qualifier. The RACFDB2 Conversion utility had two options:

  1. Make no allowance for DROP/ALTER INDEX
  2. Allow every user with DBADM on any database to have access to the unqualified DBADM used only for DROP/ALTER INDEX.

The RACFDB2 Conversion Utility generates the commands to grant each DBADM access to the unqualified DBADM profile, but place them in OPTCLST rather than CLIST. The converting site can determine if they wish to execute those commands. We recommend executing them.

The RACFDB2 Conversion Utility Using RXSQL can be downloaded either by using your browser or by using anonymous file transfer protocol (ftp). From your browser, select "file" and "save as". For anonymous ftp, use the site ftp.software.ibm.com. This utility can in the directory /eserver/zseries/zos/racf/racfdb2/ with the file name racfdb2r.xmitbin.

We welcome your comments and questions on the RACFDB2 Utility. Please direct them to the RACF-L mailing list. Subscription information for RACF-L can be found from the RACF Discussion List page.

Disclaimers

This program contains code made available by IBM Corporation on an "AS-IS" basis. Any one receiving this program is considered to be licensed under IBM copyrights to use the IBM-provided code in any way he or she deems fit, including copying it and redistributing it, except that it may be neither sold nor incorporated within a product that is sold. No license under any IBM patents or patent applications is to be implied from this copyright license.

The software is provided "as-is", and IBM disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability or fitness for a particular purpose.

This page was last updated November 2003.