RACF DB2 migration tool

The RACF/DB2 migration tool converts the contents of the SYSIBM.SYSxxxAUTH tables to equivalent RACF profiles. These RACF profiles are the profiles that are used with the RACF/DB2 External Security Module, which is intended for use as the DB2 Access Control Exit.

Users of this utility must have SELECT authority to every SYSIBM.SYSxxxAUTH table. In order to execute the CLIST generated by the utility you must have either:

The utility contains one EXEC, one set of JCL, and one documentation file. The utility does not execute any RACF commands, it only generates them and writes them to a CLIST.

The utility operates by:

  1. Finding all privileges or resources which must be protected and generating RDEF commands for those. Note that AUDIT(ALL(READ)) is generated for all commands from RSXADM.
  2. Determining whether the privileges or resources were granted to PUBLIC and changing the UACC to READ in this case. Note the author does not check for PUBLIC being granted with the GRANT option.
  3. Determine all authorization IDs without GRANT and generates a PERMIT with ACCESS(READ).
  4. Determine all authorization IDs with GRANT and generates a PERMIT with ACCESS(ALTER). Since the profiles are generally discrete, ALTER access gives the ability to 'grant' others access. The utility does NOT use the grouping classes. We recommend that you evaluate the possibility of combining profiles into grouping profiles to ease administration.

The utility does NOT use the grouping classes. We recommend that you evaluate the possibility of combining profiles into grouping profiles to ease administration. However, we could not determine any algorithm to use to evaluate the possibility. We considered combining profiles where the current GRANTs were identical, but decided that it may not remain in that manner. While one organization would grant SYSCTL and SYSOPR to the same userids, another may not. And what profile name would the utility generate if it did combine SYSCTL and SYSOPR?

The OPTCLST is optional. DB2 does not provide the database name when invoking the DB2 external security module for DROP INDEX and ALTER INDEX. The external security module, therefore, can not use the normal naming convention to determine if an authorization ID has the ability to DROP an index due to DBADM. Instead the external security module uses a DBADM profile with no database qualifier. The RACFDB2 Conversion utility had two options:

  1. Make no allowance for DROP/ALTER INDEX
  2. Allow every user with DBADM on any database to have access to the unqualified DBADM used only for DROP/ALTER INDEX.

The RACFDB2 Conversion Utility generates the commands to grant each DBADM access to the unqualified DBADM profile, but place them in OPTCLST rather than CLIST. The converting site can determine if they wish to execute those commands. We recommend executing them.

The RACFDB2 Conversion Utility for DB2 Version 6 and later (117KB) can be downloaded either by using your browser or by using anonymous file transfer protocol (ftp). From your browser, select "file" and "save as". For anonymous ftp, use the site public.dhe.ibm.com. This utility can in the directory /eserver/zseries/zos/racf/racfdb2/ with the file name racfdb26.xmitbin.

We welcome your comments and questions on the RACFDB2 Utility. Please direct them to the RACF-L mailing list. Subscription information for RACF-L can be found from the RACF-L Discussion List page.

Disclaimers

This program contains code made available by IBM Corporation on an "AS-IS" basis. Any one receiving this program is considered to be licensed under IBM copyrights to use the IBM-provided code in any way he or she deems fit, including copying it and redistributing it, except that it may be neither sold nor incorporated within a product that is sold. No license under any IBM patents or patent applications is to be implied from this copyright license.

The software is provided "as-is", and IBM disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability or fitness for a particular purpose.


Contact IBM

Browse z/OS