Customizing to protect update functions in ZDT/Db2
You can use an external security product to write facility class
rules to protect update functions within ZDT/Db2.
The following ZDT/Db2 functions are considered to be update functions:
Table 1. ZDT/Db2 update functions
Function
Menu option
Description
D2E
2
Db2® edit
DBC
3.3
Copy utility
D2I
3.6
Import utility
D2G
3.8
Db2® data
create
DBSBSP
4.1
Basic select prototyping
DBSASP
4.2
Advanced select prototyping
DBSEDX
4.4
Db2® edit
and execute SQL
DBSENX
4.3
Db2® enter
and execute SQL
To protect update functions, specify SEC=YES in the HFM2POPT
module (see the SEC parameter in Z Data Tools options).
The facility class rules that are required are:
FILEM.DB2.UPDATE
FILEM.FUNCTION.function_code
Example 1: To protect all Db2® update functions
Specify SEC=YES in the HFM2POPT
Write a facility class rule for FILEM.DB2.UPDATE
Example 2: To protect the Db2® editor function
only
Specify SEC=YES in the HFM2POPT
Write a facility class rule for FILEM.FUNCTION.D2E
The following diagram shows the processing that
is used when function rules, update facility class rules, or both
are specified.Figure 1. Security system validation for update functions
Note: In most cases it is preferable to use Db2® security, with or without an external security
server, to control update access to Db2® objects.
Db2® security allows access
to be specified for individual Db2® objects
at various levels of access (SELECT, INSERT, UPDATE, DELETE), and
to individual Db2® authids.
The same level of control is not possible using ZDT/Db2.