Multilevel Security


Multilevel security permits a more granular scheme of setting security, combining hierarchical and categorical security schemes. Multilevel security can be used to prevent individuals from accessing data at a higher security level or viewing declassifying data.

DB2 z/OS version 8 supports multilevel security at row level. DB2 restricts individual user access to a specific set of rows in a table. This security method requires z/OS 1.5 RACF.

Security enforcement is automatically performed at statement runtime. New security checks are performed that are difficult to express using SQL views or queries. Multilevel security does not rely on special views or database variables, and the controls are consistent and integrated across the system.

User security classification is maintained in the RACF security database only. The DB2 tables must have a new column, defined as AS SECURITY LABEL, added to support this security. This column will contain the security label, and every row will have a specific security label. The values will match security label definitions. For each row accessed, DB2 calls the RACF Security Exit to check authorization. If access is allowed, then normal data access occurs. When data access is not allowed, the data is not returned and there is no indication that the data was omitted from the query's result set. The security label values are cached to reduce overhead.

Version 8 has a new method of feeding external security information into SQL statements. DB2 now has built-in session variables. The variables are set by the connection/sign-on exit. A new built-in function called GETVARIABLE() can be used to retrieve value for a variable. The security label can be retrieved by this function by requesting the contents of the SYSIBM.SECLABEL session variable. The contents of this variable can be used in views, triggers, stored procedures, functions, and constraints to enforce security policies. The following example uses the function in a view:

 CREATE VIEW MY_DATA AS         SELECT *           FROM SHARED_DATA          WHERE COL_OWNER              = GETVARIABLE(SYSIBM.SECLABEL) 



DB2 for z. OS Version 8 DBA Certification Guide
DB2 for z/OS Version 8 DBA Certification Guide
ISBN: 0131491202
EAN: 2147483647
Year: 2003
Pages: 175
Authors: Susan Lawson

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net