IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 49

One common internal policy is to separate duties and assign them to various roles. For example, a person who has the right to create a new purchase order shouldn’t have the right to create a new vendor. Separating these two duties in effect prevents a person from diverting business to a friend’s company. To do this, a system administrator could define a role called purchaser with the authority to access the purchase order system (POS) and the rights to create a new purchase order in DB2. Then, the administrator would also create a role called managers, with the authorization to access the POS and add new vendors to DB2. Any purchaser attempt to add a vendor could be blocked and traced for audit purposes. and reconnected to users. This provides function similar to shared system administration authority (SYSADM) or database administration authority (DBADM) user IDs, but avoids the audit-compliance problems associated with shared users. Each role has the capability to own DB2 objects, so revoking a user’s role doesn’t cause the objects to be cascade deleted. Since administrators who create tables don’t own the tables, they lose the ability to directly access the table’s data. With these capabilities, security administrators can create databaseadministrator procedures that can be audited and protected so one individual can’t violate the established rules without being detected during an audit. Utilizing Trusted Context Trusted context provides a real-world solution and addresses the problem of establishing a trusted relationship between DB2 and an application. Trusted context evaluates a series of trust attributes to determine if a specific application is to be trusted. The relationship between the application and DB2 remains for the life of the connection. Once established, a trusted context allows a company to define a unique set of interactions between DB2 and the external entity, including: s T he capabi l it y for t he e x te r na l e nt it y to u se a n established database connection under a different user, without the need to fully authenticate that user at the DB2 server. This eliminates the need for the application to manage end-user passwords. s The capability for a DB2 authorization ID to acquire one or more privileges within a trusted context that aren’t available outside of that trusted context. One benefit of assigning roles to a trusted context is to allow database objects to be owned by a role and not by a user. If any one employee is promoted or transferred, the object owner stays with the role with no loss of user identity. A role controls all user-data access and is available only through a trusted context. To take the example further, the POS may require additional table privileges beyond what’s needed when a purchaser creates a purchase order or a manager adds a vendor. A trusted context can be defined with a default role to manage control data. When the POS accesses DB2, the default role is in effect, but when a user acting as a purchaser accesses the POS to create a purchase order, the purchaser role is used to control the user’s access. When a user accesses the POS as a manager to add a vendor, the manager role is used to control the user’s access. The definition of the trusted context controls these various user roles. Trusted contexts and roles can thus be used to implement database administrative privileges that can be disconnected Defining Trusted Context A trusted context is an independent database entity that’s def i ned ba sed upon a s ystem-aut hor i zat ion I D a nd a connection trust attribute. For a remote connection, the trust attribute is the client’s IP address or domain name. For a local connection, it’s the job or started task name: HnhiZb 6ji ]dg^oVi^dc > 9/ T his is t he pr imar y DB2 authorization ID associated with the user when the connection is established. In the remote connection, it’s derived from the external entity system user ID. In the local connection, it’s derived from the user ID associated with the job or started task. 8dccZXi^dcIgjhi6iig^WjiZh/The trust attributes identify specific connections, which are considered as part of this trusted context. The client’s IP address or host name, or the z/OS job name must be specified. As an example of a trusted context for a remote connection, the administrator could define a trusted connection context as follows: CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID WASADM1 ADDRESS ‘9.26.113.204’, ADDRESS ‘9.26.113.208’, ADDRESS ‘9.26.113.219’; I f a con nec t ion i s e stabl i shed f rom t he I P add r e s s 9.26.113.204, with the DB2 authorization ID WASADM1, then DB2 determines there’s a match between this connection’s attributes and the TRUSTED CONTEXT CTX1. Thus, a trusted context is established and DB2 marks this connection as trusted. If you require more f lexibility than an IP address, connection attributes can be specified using a client’s domain name, which is converted to an IP address by the domainname ser ver, resulting in a list of addresses or networkM AY/J U N E 2 0 0 9 ibms ystemsmag .com /mainframe 49

IBM Systems Magazine, Mainframe digital edition - May/June 2009

Table of Contents for the Digital Edition of IBM Systems Magazine, Mainframe digital edition - May/June 2009

IBM Systems Magazine, Mainframe digital edition - May/June 2009
Table of Contents
Editor's Desk:  High-Flying Security
Trends:  IBM Cognos 8 BI for Linux on System z Makes Reliable Data Available Anywhere
IT Today:  New System x and BladeCenter Servers Help Your Organization Reach Its Goals
Focus on Storage: Virtual Tape Facility for MainframeJoins IBM Arsenal
Q & A:  Hybrid Technology Takes Supercomputing Beyond Moore’s Law
Case Study:  The City and County of Honolulu Allows Its Applications to Dictate the Platforms on Which They Run
Cover Story:  IBM’s z/VM is a Proven Solution for Today’s IT Environments
Feature:  IBM’s Dynamic Infrastructure Helps Companies Reduce Costs, Manage Risks and Improve Services
Administrator:  DB2 9 Features Help Ensure Compliance
Product News
Advertiser Index
Stop Run:  Barry Merrill’s Accidental DiscoveriesEnhance the Mainframe
Reference Point
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - IBM Systems Magazine, Mainframe digital edition - May/June 2009
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Cover2
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 1
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Table of Contents
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 3
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 4
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 5
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 6
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 7
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Editor's Desk:  High-Flying Security
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 9
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Trends:  IBM Cognos 8 BI for Linux on System z Makes Reliable Data Available Anywhere
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 11
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 12
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 13
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - IT Today:  New System x and BladeCenter Servers Help Your Organization Reach Its Goals
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 15
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 16
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 17
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 18
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 19
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Focus on Storage: Virtual Tape Facility for MainframeJoins IBM Arsenal
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 21
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 22
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 23
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Q & A:  Hybrid Technology Takes Supercomputing Beyond Moore’s Law
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 25
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 26
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 27
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Case Study:  The City and County of Honolulu Allows Its Applications to Dictate the Platforms on Which They Run
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 29
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 30
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 31
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Cover Story:  IBM’s z/VM is a Proven Solution for Today’s IT Environments
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 33
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 34
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 35
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 36
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 37
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 38
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 39
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Feature:  IBM’s Dynamic Infrastructure Helps Companies Reduce Costs, Manage Risks and Improve Services
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 41
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 42
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 43
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 44
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 45
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 46
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 47
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Administrator:  DB2 9 Features Help Ensure Compliance
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 49
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 50
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 51
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Product News
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 53
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - 54
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Advertiser Index
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Stop Run:  Barry Merrill’s Accidental DiscoveriesEnhance the Mainframe
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Cover3
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Cover4
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - Reference Point
IBM Systems Magazine, Mainframe digital edition - May/June 2009 - RF2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20191112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/relevantz_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2019mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20190102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20181112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20180102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/2018mfse
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20171112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_sesupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20170102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_linuxsupp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20161112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/MainframeSecurity
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20160102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20151112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910_se
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150910
http://www.ibmsystemsmagmainframedigital.com/MFSkills
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506_supp
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20150102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20141112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_gt_201405
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/BigData
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20140102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20131112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910_v2
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20130102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20121112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/buyersguide2013
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20120102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/ibmsystems_mainframe_2012bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20111112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20110102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20101112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100910_bg
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100506
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100304
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20100102
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20091112
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090910
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090708
http://www.ibmsystemsmagmainframedigital.com/nxtbooks/ibmsystemsmag/mainframe_20090506
http://www.nxtbook.com/nxtbooks/ibmsystemsmag/mainframe_20090304
http://www.nxtbook.com/nxtbooks/mspcomm/ibmsystems_mainframe_200901
http://www.nxtbookMEDIA.com