In the CICS® DB2® environment, there are four main
stages at which you can implement security checking. These are:
- When a CICS user signs on to a CICS region. CICS sign-on authenticates
users by checking that they supply a valid user ID and password. This section does
not deal with this process; you can find more information about it
in "Verifying CICS users" in the CICS RACF® Security Guide.
- When a CICS user tries to use or modify a CICS resource that is
related to DB2. This could be a DB2CONN, DB2ENTRY or DB2TRAN resource
definition; or a CICS transaction that accesses DB2 to obtain data;
or a CICS transaction that issues commands to the CICS DB2 attachment
facility or to DB2 itself. At this stage, you can use CICS' own security
mechanisms, which are managed by RACF or
an equivalent external security manager, to control the CICS user's
access to the resource. Controlling access to DB2 resources in CICS tells you how to implement
security at this stage.
- When the CICS region connects to DB2, and when a transaction acquires
a thread into DB2. Both the CICS region and the transaction must provide
authorization IDs to DB2, and these authorization IDs are validated
by RACF or an equivalent external security manager. Providing authorization IDs to DB2 for the CICS region and
for CICS transactions tells
you how to choose and provide these authorization IDs.
- When a CICS user tries to use a CICS transaction to execute or
modify a DB2 resource. This could be a plan, or a DB2 command, or
a resource that is needed to execute dynamic SQL. At this stage, you
can use DB2's security checking, which is managed either by DB2 itself,
or by RACF or an equivalent external security manager, to control
the CICS user's access to the resource. Authorizing users to access resources within DB2 tells
you how to implement security at this stage.
You can also use RACF, or an equivalent external security manager,
to protect the components that make up CICS and DB2 from unauthorized
access. You can apply this protection to DB2 databases, logs, bootstrap
data sets (BSDSs), and libraries outside the scope of DB2, and to
CICS data sets and libraries. You can use VSAM password protection
as a partial replacement for the protection provided by RACF. "CICS system resource security" in the CICS RACF Security Guide gives
you more information about this.
DB2 Version 8 introduced support for multilevel security. Multilevel security and row-level security explains what to do if multilevel security is active
in your DB2 environment.
Note:
In this section, we refer to RACF as the external
security manager used by CICS. Except for the explicit RACF examples,
the general discussion applies equally to any functionally equivalent
non-IBM® external security manager.
Figure 24 shows the security mechanisms involved in
a CICS DB2 environment.
[[ Contents Previous Page | Next Page Index ]]