Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Grant or revoke access to a cobol/db2 program manually

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> DB2
View previous topic :: :: View next topic  
Author Message
sathyaraj

New User


Joined: 28 Sep 2007
Posts: 71
Location: India.

PostPosted: Mon Feb 27, 2012 3:48 pm    Post subject: Grant or revoke access to a cobol/db2 program manually
Reply with quote

Hi,

I know this question is going to sound totally absurd for most of the senior folks here, but I really couldn't find a way around this.

Is it possible to grant or revoke access to a cobol/db2 program manually by running Grant/Revoke queries? I know the entries are created in Systabauth when a bind is done, but what if at a later stage, I want to revoke the update access to a few tables without touching the program?

Is that possible? If I didnt make myself clear.. please let me know..

Cheers,
Back to top
View user's profile Send private message

enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10202
Location: italy

PostPosted: Mon Feb 27, 2012 5:07 pm    Post subject: Reply to: A totally absurd question...
Reply with quote

and what are You going to do when the program will face a SQL return code for lack of authority ???
Back to top
View user's profile Send private message
sathyaraj

New User


Joined: 28 Sep 2007
Posts: 71
Location: India.

PostPosted: Mon Feb 27, 2012 5:27 pm    Post subject:
Reply with quote

Enrico,

I think I will get a -438, but that should be fine. We are making the system completely read only and so the users will be advised not to update anything. The problem with controlling this at a RACF level is that I need the users to use one particular update transaction alone. So couldnt think of any other idea other than revoking the access the programs have...

Thanks
Back to top
View user's profile Send private message
sushanth bobby

Senior Member


Joined: 29 Jul 2008
Posts: 1013
Location: India

PostPosted: Mon Feb 27, 2012 6:02 pm    Post subject:
Reply with quote

Hi Sathyaraj,

Bind package with two different owners and store the packages in different collections.
Owner one has all the acess.
Owner two has only select access(you read-only package)

And i don't think you will get -438 for lack of authority.

Thanks,
Sushanth
Back to top
View user's profile Send private message
sathyaraj

New User


Joined: 28 Sep 2007
Posts: 71
Location: India.

PostPosted: Mon Feb 27, 2012 7:32 pm    Post subject:
Reply with quote

Thanks Sushanth,

Okay. say I have 10 programs out of which I want to have 9 as read only and one as read/write. So I will bind 9 programs with a owner ID which is read only and 1 program with a different owner ID which can read write.

But will the bind of the 9 programs not thow any error? i.e binding a DBRM with update statements to a owner ID that has only read access?

Cheers,
Back to top
View user's profile Send private message
sushanth bobby

Senior Member


Joined: 29 Jul 2008
Posts: 1013
Location: India

PostPosted: Tue Feb 28, 2012 10:28 am    Post subject:
Reply with quote

Sathyaraj,

VALIDATion should be done during RUNtime. Moreover, read-only programs and updatable programs should not be mixed, it causes confusion. Please discuss with your DBA.

Regards,
Sushanth
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue Feb 28, 2012 11:14 am    Post subject:
Reply with quote

Sushanth,

what you say is correct,
but the TS does not want to create/modify/write any modules.

The TS is attempting to use the flags in db2 sysibm tables to make-up
for a poorly thought-out plan.

Sathyaraj,

yes, i imagine you are going to have bind errors.

what you have is a requirement to modify a system on the cheap.

i would suggest the cleanest solution to your problem
would be to employ triggers to inhibit the updates/inserts/deletions of rows based on user/group id.

your solution of 'modifying sysibmtabauth would be a nightmare,
as well as it probably will not work.

using triggers would allow you to keep everything as it is (the code)
yet provide a clean, controllable method of inhibiting users from modifying the database.
Back to top
View user's profile Send private message
sathyaraj

New User


Joined: 28 Sep 2007
Posts: 71
Location: India.

PostPosted: Tue Feb 28, 2012 8:43 pm    Post subject:
Reply with quote

Thanks Brenholtz,

Trigger sounds good. But I am not sure of the work involved. creating a trigger for each table..

Ok will try to arrive at some numbers and see if that is viable.

Thanks,
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue Feb 28, 2012 8:56 pm    Post subject:
Reply with quote

instead of thinking of viability
you should be thinking of the lesser evil

when someone says all the work involved,
all i see is someone who uses stone wheels and knives.

create one, test it and if it works, write a rexx script to generate all the other CREATE Trigger's
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10202
Location: italy

PostPosted: Tue Feb 28, 2012 9:07 pm    Post subject: Reply to: Grant or revoke access to a cobol/db2 program manu
Reply with quote

if the DB2/CICS/IMS/<whatever> environment has been setup properly all the authorization/privileges checking will be done on the USERID/GROUP running the transaction

for batch USER of the JOB card ( real,surrogate,propagated )
for TSO USER logged on ( with allowance for some surrogate processing )
for CICS/IMS the USER logged/signed in thu the proper CICS/IMS sign in process

so fiddling around with programs and friends is pretty useless

but naturally the security setup should have been done properly icon_cool.gif
Back to top
View user's profile Send private message
sathyaraj

New User


Joined: 28 Sep 2007
Posts: 71
Location: India.

PostPosted: Tue Feb 28, 2012 9:32 pm    Post subject:
Reply with quote

Brenholtz,

I totally agree that trigger was a paradigm shift from what I was thinking and it is a less complex solution. It took me some time to digest the approach and now like you said, can think about ways to quickly do it.

Enrico,

our applications have access levels hard coded and am trying to find a way to control the application without touching it. Gonna test some SQL PL, and see how it goes..

Cheers,
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10202
Location: italy

PostPosted: Tue Feb 28, 2012 9:34 pm    Post subject: Reply to: Grant or revoke access to a cobol/db2 program manu
Reply with quote

Quote:
but naturally the security setup should have been done properly

where everything comes easy

Quote:
our applications have access levels hard coded

Your environment falls in the other category ...
somebody made a bad choice and You all will have to live with it !
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> DB2 All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts I can not compile my program PL1 V3.R... Miguel Fernandez PL/I & Assembler 13 Tue Dec 06, 2016 8:30 pm
No new posts IMS BMP program causes 878 system abend Artemk IMS DB/DC 7 Tue Nov 22, 2016 8:26 pm
No new posts IMS DC screen Access sivasaras IMS DB/DC 3 Fri Nov 18, 2016 6:38 pm
This topic is locked: you cannot edit posts or make replies. RANDOM Function in COBOL swapnil781 COBOL Programming 2 Tue Nov 15, 2016 6:17 pm
No new posts Regarding COBOL Stored Procedure opti... selvamsrinivasan85 DB2 4 Fri Nov 04, 2016 8:57 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us