Expired or deleted RACF accounts that are still active in DB2

5 pts.
Tags:
IBM DB2
RACF
z/OS
Hello, I have a question related to 'expired or deleted RACF accounts that are still active in DB2'. In our shop, with z/OS as the operating system and RACF as a security tool. While DB2 native security is used to manage access for each of the DB2 objects such as database, table, view, or storage group, RACF is used to manage user accounts and such things as authentication. Quesition: There is an audit report nothing that there are serveral orphaned user  accounts (expired or deleted) with permissions and privileges to different DB2 objects within DB2. Does it constitute a Medium or High risk? If so, what are the vulnerabilities associated with it? If not, does it ONLY represent a cleanup issue where by user account with expired status in RACF or deleted from RACF should also be removed from DB2?

Thanks.



Software/Hardware used:
OS; z/OS, Security: RACF, DB; DB2

Answer Wiki

Thanks. We'll let you know when a new response is added.

Assuming that the user fails RACF check and not get to DB2, then this scenario is just some cleanup.

Carefully consider revoking a user’s DB2 authorizations just because they are expired in RACF. Expired in RACF simply means they have not logged on in a while. Maybe they only logon once per year and when they do they will want their old auths back.

Keeping DB2 auths tidy is a pain. The RACF folks need to keep the DBA folks in the loop on who they are removing from RACF.

Consider using secondary authids (RACF groups) rather than granting DB2 auths to USERIDs. It helps keep things easier to manage (IMO).

Hope this helps.

Steve

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following