Customizing to protect update functions in ZDT/Db2

You can use an external security product to write facility class rules to protect update functions within ZDT/Db2.

The following ZDT/Db2 functions are considered to be update functions:

Table 1. ZDT/Db2 update functions
Function Menu option Description
D2E 2 Db2® edit
DBC 3.3 Copy utility
D2I 3.6 Import utility
D2G 3.8 Db2 data create
DBSBSP 4.1 Basic select prototyping
DBSASP 4.2 Advanced select prototyping
DBSEDX 4.4 Db2 edit and execute SQL
DBSENX 4.3 Db2 enter and execute SQL

To protect update functions, specify SEC=YES in the HFM2POPT module (see the SEC parameter in Z Data Tools options).

The facility class rules that are required are:
  • FILEM.FUNCTION.function_code
Example 1: To protect all Db2 update functions
  • Specify SEC=YES in the HFM2POPT
  • Write a facility class rule for FILEM.DB2.UPDATE
Example 2: To protect the Db2 editor function only
  • Specify SEC=YES in the HFM2POPT
  • Write a facility class rule for FILEM.FUNCTION.D2E
The following diagram shows the processing that is used when function rules, update facility class rules, or both are specified.
Figure 1. Security system validation for update functions
  │Z Data Tools function (fc)│
  │FACILITY(FILEM.FUNCTION.fc) access          │
  │ALTER │ UPDATE │ READ │ NONE  │ not defined │
     ├───────┴──────┘┌────────┘         │
     ↓               ↓                  ↓
  ┌────────┐  ┌────────┐   ┌──────────────────────────────────┐
  │Accepted│  │Rejected│   │FACILITY(FILEM.DB2.UPDATE) access │
  └────────┘  └────────┘   ├──────┬────────┬──────┬───────────┤
                           │ALTER │ UPDATE │ READ │ NONE      │
                              └──────┬┴────────┘      │
                                     ↓                ↓
                                ┌────────┐         ┌────────┐
                                │Accepted│         │Rejected│
                                └────────┘         └────────┘
Note: In most cases it is preferable to use Db2 security, with or without an external security server, to control update access to Db2 objects. Db2 security allows access to be specified for individual Db2 objects at various levels of access (SELECT, INSERT, UPDATE, DELETE), and to individual Db2 authids. The same level of control is not possible using ZDT/Db2.