Learn how you can Enforce Data Security using Db2 Access Control andMasking to ensure only those who need to know have access to business data, Which is very important as regulations require the strictest of data Security (e.g. GDPR).
IBM db2 Row and Access Control & Masking (Enforcing Governance where the data resides)
1. Db2 Row and Column Access Control (RCAC)
George Baklarz
IBM DTE Leader Hybrid Data Management
2. IBM Cloud2IBM Digital Technical Engagement
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice and at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality. Information about
potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for
our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in
a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
3. IBM Cloud3IBM Digital Technical Engagement
Agenda
Introduction to Row Column Access Control (RCAC)
Using RCAC in Db2
Row permissions
Column masks
RCAC Usage Examples
4. IBM Cloud4IBM Digital Technical Engagement
Why Use Row Column Access Control?
Currently, data access is restricted via views or
application logic
Users with direct access to databases can
bypass these layers
Example: Users with DATAACCESS authority
can still view all data
DB2 10 provides a new way to control data
access at
row/column level
Set up rich security policies
Prevents administrators with DATAACCESS
authority from accessing all data in a database
No dependency on application logic
Allows for data masking (column)
Facilitates table level multi-tenancy
How can we ensure
that a social security
number column is
masked out for
unauthorized users?
How can we ensure
that managers only
see data for their
own employees?
5. IBM Cloud5IBM Digital Technical Engagement
What is Row Column Access Control?
Additional layer of data security introduced in
DB2 10
Complementary to table
level authorization
Allows access only to subset of data useful for
job task
Controls access to a table at the row, column, or
both
Two sets of rules
Permissions for rows
Masks for columns
6. IBM Cloud6IBM Digital Technical Engagement
How is This Different from LBAC?
LBAC is a fixed label security model designed
for governments
Hierarchical access scenarios
• Great for large companies with well defined data and user classifications
• Suited for such applications as those intelligence and defense communities
RCAC is a general purpose security model
No data or user classification required
Best suited for commercial customers
7. IBM Cloud7IBM Digital Technical Engagement
How is This Different from LBAC? (cont.)
Why is RCAC more suited for commercial customers?
Simpler mechanism
• LBAC is powerful, but has a complex, lengthy implementation
No requirement to classify data and users
• Can use existing roles and groups
Provides column masking (LBAC does not)
Transparent to the client application
Pushes security from application to database, giving
performance advantages
Robust data privacy for supporting multi-tenancy
Very easy for use in compliance
Click for Demo, video / Hands on Lab:
ibm.com/demos/collection/db2-database
8. IBM Cloud8IBM Digital Technical Engagement
CREATE PERMISSION p_name ON table/view FOR ROWS
WHERE search condition ENFORCED FOR ALL ACCESS {disable/enable};
ALTER TABLE/VIEW table/view ACTIVATE ROW ACCESS CONTROL;
Determines if permission
will be ENABLED when
access control is
ACTIVATED for table
WHERE clause
Create Permission
To create a permission governing access to rows
1) CREATE the permission with access rule defined by search condition
– Choose to enforce for all DML or simply select
2) ENABLE or DISABLE the permission
– If enabled, this access rule will be implemented when row access control is
ACTIVATed for the affected table
3) ALTER table to activate row access control
ACTIVATE the row
access control
9. IBM Cloud9IBM Digital Technical Engagement
Scenario: Create Permission
A simple scenario has the following permissions attached
PAYROLL table
• Can only be accessed between the hours of 8:00 am and 5:00 pm
Anyone with table privileges on the PAYROLL table only has those privileges
enabled within the table during the selected hours
1
2
10. IBM Cloud10IBM Digital Technical Engagement
CREATE PERMISSION payrollp
ON PAYROLL
FOR ROWS WHERE CURRENT TIME BETWEEN ‘8:00’ AND ’17:00’
ENFORCED FOR ALL ACCESS ENABLE;
ALTER TABLE payroll ACTIVATE ROW ACCESS CONTROL;
Scenario: Create Permission (cont.)
1
2
11. IBM Cloud11IBM Digital Technical Engagement
Scenario: Create Permission (cont.)
A more complex scenario using the same PAYROLL has the
following permissions attached
PAYROLL table
• Can only be accessed between the hours of 8:00 am and 5:00 pm
• Can only be accessed using the PROC1 stored procedure from within the
HRPROCS schema
The PAYROLL table can only be accessed through the HRPROCS.PROC1
stored procedure during the hours from 8:00 am to 5:00 pm
1
2
12. IBM Cloud12IBM Digital Technical Engagement
CREATE PERMISSION payroll-table-rules
ON PAYROLL
FOR ROWS WHERE CURRENT TIME BETWEEN ‘8:00’ AND ’17:00’
AND SYSIBM.ROUTINE_SPECIFIC_NAME = ‘PROC1’
AND SYSIBM.ROUTINE_SCHEMA = ‘HRPROCS’
AND SYSIBM.ROUTINE_TYPE = ‘P’
ENFORCED FOR ALL ACCESS ENABLE;
ALTER TABLE payroll ACTIVATE ROW ACCESS CONTROL;
Scenario: Create Permission (cont.)
1
2
13. IBM Cloud13IBM Digital Technical Engagement
CREATE MASK m_name on t_name FOR COLUMN c_name RETURN
case-expression {disable/enable}
ALTER TABLE/VIEW table/view ACTIVATE COLUMN ACCESS CONTROL;
Create Column Mask
To create a mask for a column
1) CREATE the mask with visibility of column value determined by
case expression
2) ENABLE or DISABLE the permission, determining if this access rule will be
implemented when column access control is enabled for the affected table
3) ALTER table to ACTIVATE column access control
Result of case expression
is returned in substitute of
column value
Determines if mask will be
enabled when access control
is ACTIVATEd for table
ACTIVATE column
access control
14. IBM Cloud14IBM Digital Technical Engagement
Scenario: Create Column Mask
Scenario has the following permissions attached
Salary column
• Accounting can see the actual SALARY column value
• Everyone else sees 0.00
Employee number column
• Employees or Accounting can see their own full employee number
• Everyone else sees ‘EEEEEE’
1
2
15. IBM Cloud15IBM Digital Technical Engagement
CREATE MASK salary_mask ON payroll FOR
COLUMN salary RETURN
CASE
WHEN verify_role_for_user(SESSION_USER,
‘ACCOUNTING’) = 1
THEN salary
ELSE 0.00
END
ENABLE;
CREATE MASK empno_mask ON payroll FOR
COLUMN empno RETURN
CASE
WHEN verify_role_for_user(SESSION_USER,
‘EMPLOYEE’) = 1
THEN empno
WHEN verify_role_for_user(SESSION_USER,
‘ACCOUNTING’) = 1
THEN empno
ELSE
‘EEEEEE‘
END
ENABLE;
ALTER TABLE payroll ACTIVATE COLUMN ACCESS CONTROL;
Scenario: Create Column Mask (cont.)
1
2
16. IBM Cloud16IBM Digital Technical Engagement
CREATE VIEW patient_info_view AS
SELECT p.sin, p.name, c.choice
FROM patient p, patientchoice c
WHERE p.sin = c.sin
AND c.choice = ‘drug-research’
AND c.value = ‘opt-in’;
Using Views with RCAC-Protected Tables
Views can be created on RCAC-protected tables
When querying the view, data is returned based on RCAC
rules defined on base table
SELECT * FROM patient_info_view;
SIN NAME CHOICE
XXX XXX 856 Sam drug-research
XXX XXX 789 Bob drug-research
17. IBM Cloud17IBM Digital Technical Engagement
CREATE MASK EXAMPLEHMO.ACCT_BALANCE_MASK ON PATIENT FOR
COLUMN ACCT_BALANCE RETURN
CASE WHEN VERIFY_ROLE_FOR_USER(SESSION_USER,'ACCOUNTING') = 1
THEN ACCBALDISPLAY(ACCT_BALANCE)
ELSE 0.00
END
ENABLE;
Using UDFs and Triggers with RCAC-Protected Tables
UDFs must be defined as SECURED when referenced from within row and column
access control definitions
UDFs invoked on columns protected with a column mask must be defined as SECURED.
For instance, the SELECT statement below will fail unless CALC is defined as a secure
UDF
Triggers must be defined as SECURED if the subject table is protected with row or
column access control
ALTER FUNCTION ACCBALDISPLAY SECURED;
SELECT CALC(ACC_BALANCE) FROM PATIENT;
ALTER TRIGGER T_LOG_CHANGES SECURED;
18. IBM Cloud18IBM Digital Technical Engagement
CREATE [OR REPLACE] MASK m_name ON t_name FOR COLUMN
c_name RETURN case expression DISABLE/ENABLE
SQL Statements for Managing RCAC rules
SQL information for creating a row permission or column mask is
stored in the SYSCAT.CONTROLS catalog table
CREATE [OR REPLACE] PERMISSION p_name ON t_name FOR ROWS
WHERE search condition ENFORCED FOR ALL ACCESS
DISABLE/ENABLE
ALTER MASK/PERMISSION c_name/p_name DISABLE/ENABLE
DROP MASK/PERMISSION c_name/p_name
ALTER TABLE t_name ACTIVATE/DEACTIVATE ROW/COLUMN ACCESS
CONTROL
19. IBM Cloud19IBM Digital Technical Engagement
New Built-in Scalar Functions
verify_role_for_user (user, role1, role2, …)
The result is 1 if any of the roles associated with the user are in list of role1, role2, etc.
Else 0
verify_group_for_user (user, group1, group2, …)
The result is 1 if any of the groups associated with the user are in list of group1, group2, etc.
Else 0
Note: This scalar function can also be used for LDAP roles
verify_trusted_context_role_for_user (user, role1, role2, …)
The result is 1 if when the role acquired through a trusted connection is in (or contains) any of
the roles in the list of role1, role2, …
Else 0
20. IBM Cloud20IBM Digital Technical Engagement
Restrictions and Considerations
You cannot create a mask on a column which
Is an XML object
Is a LOB column or a distinct type column that is based on a LOB
Is a column referenced in an expression that defines a
generated column
UDFs and TRIGGERs must be altered with SECURE keyword
Compromise between security vs. integrity
Automatic Data Movement
No propagation of any existing row permissions or column masks takes place. Target table is automatically
protected with the default no access row permission to protect against direct access to that target table
• MQT, History Tables for Temporal tables, and detached table partitions for range-partitioned tables
db2look can extract row permission and column mask definitions in order to mimic elsewhere
EXPLAIN facility shows access plans with RCAC in place
Can override with NORCAC option
21. IBM Cloud21IBM Digital Technical Engagement
RCAC Usage Examples – Users, Groups, and Roles
For the usage examples, there exist the following users and
departments (groups and roles)
Using groups and roles with RCAC
22. IBM Cloud22IBM Digital Technical Engagement
Scenario: Create Permission
Scenario has the following permissions attached
CUSTOMERS and CUST_CRDT_CARD table
• CUSTOMERS contains name, customer number, address, gender, and other
personal information
• CUST_CRDT_CARD contains customer ID and credit card information
SALES department
• Has all row access to both tables
ACCOUNTING department
• Has all row access to the CUSTOMERS table
• Can only see rows in the CUST_CRDT_CARD table for customers that
belong to each ACCOUNTING employee’s customer group
Nobody else sees any data
23. IBM Cloud23IBM Digital Technical Engagement
TABLE PERMISSIONS – CUSTOMERS
CREATE PERMISSION custa ON TOQUE.CUSTOMERS
FOR ROWS WHERE
(VERIFY_ROLE_FOR_USER(SESSION_USER,'SALES')=1)
OR
(VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING')=1)
ENFORCED FOR ALL ACCESS ENABLE;
ALTER TABLE TOQUE.CUSTOMERS ACTIVATE ROW ACCESS CONTROL;
TABLE PERMISSIONS – CUST_CRDT_CARD
CREATE PERMISSION crdta ON TOQUE.CUST_CRDT_CARD
FOR ROWS WHERE
(VERIFY_ROLE_FOR_USER(SESSION_USER,'SALES')=1)
OR
(VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING')=1 AND
VERIFY_ROLE_FOR_USER(SESSION_USER,CUST_GROUP)=1)
ENFORCED FOR ALL ACCESS ENABLE;
ALTER TABLE TOQUE.CUST_CRDT_CARD ACTIVATE ROW ACCESS CONTROL;
Scenario: Create Permission (cont.)
24. IBM Cloud24IBM Digital Technical Engagement
Query Example – Row Permissions Only
RCAC flexibility allows row permissions, column masks, or both to
be implemented on a table
An example query where only row permissions exist
SELECT B.CUST_FIRST_NAME AS FIRST_NAME, B.CUST_LAST_NAME AS LAST_NAME,
A.CUST_CC_NUMBER AS CC_NUMBER,A.CUST_CC_EXP_DATE AS EXP_DATE,
A.CUST_GROUP AS GROUP FROM TOQUE.CUST_CRDT_CARD A, TOQUE.CUSTOMERS B
WHERE A.CUST_CODE = B.CUST_CODE AND B.CUST_LAST_NAME LIKE 'T%';
A
25. IBM Cloud25IBM Digital Technical Engagement
Scenario: Create Masks
Scenario has the following masks attached
CUSTOMERS and CUST_CRDT_CARD table
• CUST_GROUP column can only be viewed by members of the SECURITY group
• All others see the CUST_GROUP with the masked value of ‘NONE’
CUSTOMERS table has restrictions on personal information columns
• CUST_AGE
• CUST_EMAIL
• MARITAL_STATUS_CODE
For the three restricted view columns, the following masks apply
• SALES can view the e-mail address only
• Age is masked as “21”
• Marital status is masked as NULL
• ACCOUNTING can view the actual values of all 3 columns
26. IBM Cloud26IBM Digital Technical Engagement
COLUMN MASKS – CUSTOMERS
CREATE MASK cust_group_mask ON TOQUE.CUSTOMERS
FOR COLUMN cust_group RETURN
CASE WHEN (VERIFY_ROLE_FOR_USER(SESSION_USER,'SECURITY')=1)
THEN cust_group
ELSE 'NONE'
END
ENABLE;
CREATE MASK cust_age_mask ON TOQUE.CUSTOMERS
FOR COLUMN cust_age RETURN
CASE WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING')=1)
THEN cust_age
WHEN (VERIFY_ROLE_FOR_USER(SESSION_USER,'SALES')=1)
THEN 21
ELSE NULL
END
ENABLE;
Scenario: Create Masks (cont.)
27. IBM Cloud27IBM Digital Technical Engagement
COLUMN MASKS – CUSTOMERS (cont.)
CREATE MASK cust_email_mask ON TOQUE.CUSTOMERS
FOR COLUMN cust_email RETURN
CASE WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING')=1)
THEN cust_email
WHEN (VERIFY_ROLE_FOR_USER(SESSION_USER,'SALES')=1)
THEN cust_email
ELSE NULL
END
ENABLE;
CREATE MASK marital_status_mask ON TOQUE.CUSTOMERS
FOR COLUMN marital_status_code RETURN
CASE WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING')=1)
THEN marital_status_code
ELSE NULL
END
ENABLE;
ALTER TABLE TOQUE.CUSTOMERS ACTIVATE COLUMN ACCESS
CONTROL;
Scenario: Create Masks (cont.)
28. IBM Cloud28IBM Digital Technical Engagement
COLUMN MASKS – CUST_CRDT_CARD
CREATE MASK cust_cc_group_mask ON
TOQUE.CUST_CRDT_CARD
FOR COLUMN cust_group RETURN
CASE WHEN
(VERIFY_ROLE_FOR_USER(SESSION_USER,'SECURITY')=1
)
THEN cust_group
ELSE 'NONE'
END
ENABLE;
ALTER TABLE TOQUE.CUST_CRDT_CARD ACTIVATE COLUMN
ACCESS CONTROL;
Scenario: Create Masks (cont.)
29. IBM Cloud29IBM Digital Technical Engagement
Permission and Mask Summary for Examples
The following permission and mask rules apply to the CUSTOMERS
table
CUSTOMERS TABLE AGE MARITAL
STATUS
CUST_GROUP E-MAIL
DBA N - - - -
SALES Y N N N Y
ACCOUNTING Y Y Y N Y
A
B
C
30. IBM Cloud30IBM Digital Technical Engagement
Permission and Mask Summary for Examples (cont.)
The following permission and mask rules apply to the
CUST_CRDT_CARD table
CUST_CRDT_CARD TABLE CUST_GROUP
DBA N -
SALES Y N
ACCOUNTING N
A Y
B Y
C Y
31. IBM Cloud31IBM Digital Technical Engagement
Query Example – Permissions and Masks
RCAC flexibility allows row permissions, column masks, or both to
be implemented on a table
An example query with both permissions and masks
SELECT B.CUST_FIRST_NAME AS FIRST_NAME, B.CUST_LAST_NAME AS LAST_NAME,
A.CUST_CC_NUMBER AS CC_NUMBER,A.CUST_CC_EXP_DATE AS EXP_DATE,
A.CUST_GROUP AS GROUP FROM TOQUE.CUST_CRDT_CARD A, TOQUE.CUSTOMERS B
WHERE A.CUST_CODE = B.CUST_CODE AND B.CUST_LAST_NAME LIKE 'T%';
A
32. IBM Cloud32IBM Digital Technical Engagement
Query Example – Permissions and Masks
RCAC flexibility allows row permissions, column masks, or both to
be implemented on a table
An example query with both permissions and masks
SELECT B.CUST_FIRST_NAME AS FIRST_NAME, B.CUST_LAST_NAME AS LAST_NAME,
A.CUST_CC_NUMBER AS CC_NUMBER,A.CUST_CC_EXP_DATE AS EXP_DATE,
A.CUST_GROUP AS GROUP FROM TOQUE.CUST_CRDT_CARD A, TOQUE.CUSTOMERS B
WHERE A.CUST_CODE = B.CUST_CODE AND B.CUST_LAST_NAME LIKE 'T%';
C
Gunter query returned 359 rows, Moe query returned 384 rows
33. IBM Cloud33IBM Digital Technical Engagement
Query Example – Permissions and Masks (cont.)
Now we will look at a query involving multiple masks
SELECT CUST_FIRST_NAME AS FIRST_NAME, CUST_LAST_NAME AS LAST_NAME,
CUST_CITY AS CITY, CUST_AGE AS AGE, CUST_GROUP AS GROUP
FROM TOQUE.CUSTOMERS WHERE CUST_CITY LIKE 'P%';
Click for Demo, video / Hands on Lab: ibm.com/demos/collection/db2-database
34. IBM Cloud34IBM Digital Technical Engagement
Query Example – Permissions and Masks (cont.)
RCAC prevents privileged users from accessing sensitive data
SELECT CUST_FIRST_NAME AS FIRST_NAME, CUST_LAST_NAME AS LAST_NAME,
CUST_CITY AS CITY, CUST_AGE AS AGE, CUST_GROUP AS GROUP
FROM TOQUE.CUSTOMERS WHERE CUST_CITY LIKE 'P%';
Click for Demo, video / Hands on Lab: ibm.com/demos/collection/db2-database
35. IBM Cloud35IBM Digital Technical Engagement
RCAC – Useful Tips
Here are some useful tips to remember when implementing RCAC
for a database table
Both database roles and operating system groups can be utilized within RCAC to
provide sub-categories of access
When defining column masks, remember the following
• Literal masks must match the data type defined for the column
• NULL masks can only be used if the column allows NULL values
Permissions and masks are defined at the database level
• Each permission and mask name must be unique within the database
• Each permission or mask applies to a single table
36. IBM Cloud36IBM Digital Technical Engagement
Summary
Click for Demo, video / Hands on Lab:
ibm.com/demos/collection/db2-database
37. IBM Cloud37IBM Digital Technical Engagement
Summary of Row and Column Access Control
Allows access only to subset of data useful for job task
Leverages existing groups and roles
Same output regardless of access method
Data Studio, views, applications, etc.
Data-centric and transparent to client application
Ideal for
Commercial applications
Function-specific access control (vs. hierarchical)
Use in compliance
SECADM is the sole manager of security policy
Two sets of rules
Row access is restricted via permissions
Column access is restricted via masks
38. IBM Cloud38IBM Digital Technical Engagement
Thank You !
Seem more on Db2 @
IBM.COM/Demos/collection/db2-database
Click for Demo, video / Hands on Lab:
ibm.com/demos/collection/db2-database
Editor's Notes
This presentation will follow this agenda; an introduction to Row Column Access Control (RCAC), Using RCAC in DB2 10 with a closer look at row permissions and column masks, a look at RCAC usage examples, and finally a summary of RCAC material that was covered during this presentation.
We have security in DB2 already. We have LBAC in DB2 already. Why do we want to use Row and Column Access Control (RCAC)? There are key items that are of value to your customers. We show them here.
In any business organization, data must be protected, and only users who need to see certain data should be able to see this data. Depending on the job role, different parts of information should not be visible.
We could use SQL Views to a table of course, but this adds complexity and exposes to the users that there may be data that is not accessible. It also adds maintenance complexity.
Application logic could also be used, but it comes with its own set of issues.
With either of Views or application access, however, a DBA or user (with DATAACCESS) could go into the tables and see all data … this is not a suitable situation.
As a result, we need something like Row and Column Access Control for ease of use and ease of implementation.
RCAC is an additional layer of security and is complimentary to table level authorizations already in DB2 LUW. RCAC will work in conjunction with authorizations already in place.
RCAC does have the ability to protect at the table row level, table column level, or both, providing a masking of result sets to the users based on the protection in place. This are done via rules which are created and we will discuss this further in this presentation.
The image on the slide simply shows at a high, non specific level, that the SSN column is masked out (it is in green) and that a number of rows are not returned (in red) based on a row permission defined.
LBAC was designed for US Government use, and was best for hierarchical access scenarios.
LBAC hierarchy example:
TOP SECRET-> SECRET-> CONFIDENTIAL-> PUBLIC
LBAC is also well suited for a large organization with complex security requirements. It is suited for a broad range of applications, but generally used for defense.
RCAC is more general purpose and is based on function-specific access – meaning access based on job roles. It is less powerful than LBAC but is also less complex to implement.
RCAC function-specific example:
Warehouse system where a fact table contains ALL customer info. Need to display different info depending on department
Both LBAC and RCAC have their uses and scenarios where they should be used. RCAC however has a number of key differences over LBAC which make it more suited for commercial customers. These are listed on this slide. Let us go through them.
Example - Simpler: LBAC requires security components, labels, etc.
Masking – good to be able to show only certain pieces of column data
Compliance – very easy to use RCAC to provide compliance for data access in certain ways such as HIIPA, Sarbanes-Oxly, etc
On this slide we simply take a moment to show you the syntax for creating a permission to access row data. This deals with ROW access control. Essentially there are 3 primary steps: (1) Create the permission (2) Enable the permission (3) Activate the permission on the table – this last step is important since regardless of a permission being enabled or disabled, unless the access control is activated on the table, the permissions will not be in place.
Details:
Search-condition Specifies a condition that can be true or false for a row of the table. This follows the same rules as that of a search condition in a WHERE clause of a subselect.
Note: Use of a SELECT for a search condition does not require explicit SELECT or EXECUTE privilege. New built-in scalar functions are supplied for determining if a user is a member of a role or group.
Default is DISABLE. You need to alter table to use the access control.
Here we will go over a simple scenario for a PAYROLL table, which is a table that contains sensitive data in most organizations. For the PAYROLL table we want to restrict access for any user (or group or role) that has SELECT privilege on the PAYROLL table to between the hours of 8:00 am and 5:00 pm. This type of selective time period access can easily be accomplished using the row permissions of RCAC.
These are the required definitions for the three rules described on the previous page for the simple PAYROLL table scenario. Note that we can define the rules in a single CREATE statement.Since no user role, trusted context, or group is specified in the FOR ROWS … portion of the CREATE PERMISSION statement, nogroups, or roles are explicitly excluded from table row access.
Enforcing ALL ACCESS means it will be used for ALL DML, not just SELECT statements.As mentioned earlier the last step must be to ALTER the table to ACTIVATE the row access control.
Here we will go over a simple scenario for a PAYROLL table, which is a table that contains sensitive data in most organizations. For the PAYROLL table we want to restrict access for any user (or group or role) to accessing the PAYROLL table through the HRPROCS.PROC1 stored procedure and then only between the hours of 8:00 am and 5:00 pm. This is a more complicated table row permission to illustrate the types of access control that can be provided through the use of RCAC.
These are the required definitions for the three rules described on the previous page for the simple PAYROLL table scenario. Note that we can define the rules in a single CREATE statement.Since no user role, trusted context, or group is specified in the FOR ROWS … portion of the CREATE PERMISSION statement, no groups, or roles are explicitly excluded from table row access, the restriction is that ALL access must be through the HRPROCS.PROC1 stored procedure ONLY and then ONLY between the hours of 8:00 am and 5:00 pm.
Enforcing ALL ACCESS means it will be used for ALL DML, not just SELECT statements.The last step must be to ALTER the table to ACTIVATE the row access control.
Moving on, we will now discuss how you would implement the column access control. Remember that RCAC provides both column access and row access controls. Column access control is implement in the form of a mask, or lack thereof, on the data
This slide shows how we would define the column access control. Note that we have three similar steps to those for defining row access control
First we create the mask – we use CASE expressions to determine the result
Second we ENABLE the permission -Third (and again important as it was with row permissions) we must ACTIVATE the permission on the table involved.
Note that the ability for someone to update a column with a mask on it will be based not on the presence of a mask, but the presence of any row permission. Someone can update the column data which is masked, even if they cannot see the masked data as long as they have update permission on the table and the ability to see the row.
Moving on, we will now discuss how you would implement the column access control. Remember that RCAC provides both column access and row access controls. Column access control is implement in the form of a mask, or lack thereof, on the data
Using the previous PAYROLL table simple example (anyone with table privileges can access the table between 8:00 am and 5:00 pm), we will create a mask on two columns within the PAYROLL table.
We MASK the SALARY column
-Only the ACCOUNTING team can see the actual SALARY value in the table
– All others see a salary of zero
We MASK the Employee Number column
-Only the employee themselves or someone in Accounting can see the full Employee Number
– All others see only ‘EEEEEE’
In this case we use the CREATE MASK statement (earlier we used a CREATE PERMISSION statement). The numbers in the green circles match up with the rules we indicated earlier we needed to do on the column data: If you are in ACCOUNTING you see the SALARY column value; if you are the employee or a member of ACCOUNTING, you see the full employee number.
Different from our row permission create statement we use separate CREATE MASK statements, one for each MASK we want to define.
Also as before we verify the role of the user executing the statement, and using our case expression determine the resulting column data that will be returned by DB2 to the user executing the query.Each mask is enabled separately, and very important we must ACTIVATE column access control on the table.
We will look at detailed output later in this presentation when we discuss RCAC usage examples.
RCAC protection is not limited to base tables. RCAC can be applied to VIEWs also.
In this example, we create a simple view. When you SELECT from the VIEW, the defined row and column access controls are applied when providing the result set.
Any views, triggers, UDFs, etc. can only see and update the data based on the defined row access and column masks. We see more on this on the next page.
Additional requirements are in place for UDFs and TRIGGERs to access a table with ROW or COLUMN access controls – they must be defined as SECURED.
Also if you use a UDF or a TRIGGER within the definition of the row or column access control, the SECURED keyword must be specified.
UDFs
======
SECURED or NOT SECURED
Specifies whether the function is considered secure for row and column access control.
NOT SECURED
Indicates that the function is not considered secure. When the function is invoked, the arguments of the function must not reference a column for which a column mask is enabled and column level access control is activated for its table (SQLSTATE 428HA). This rule applies to the non secure user-defined functions that are invoked anywhere in the statement.
SECURED
Indicates that the function is considered secure.
The function must be secure when it is referenced in a row permission or a column mask (SQLSTATE 428H8).
The function must be secure when it is referenced in a materialized query table and the materialized query table references any table that has row or column level access control activated (SQLSTATE 428H8).
TRIGGERS
========
NOT SECURED or SECURED
Specifies whether the trigger is considered secure.
SECURED
Specifies the trigger is considered secure. SECURED must be specified for a trigger whose subject table is a table on which row level or column level access control has been activated (SQLSTATE 428H8). Similarly, SECURED must be specified for a trigger that is created on a view and one or more of the underlying tables in that view definition has row level or column level access control activated (SQLSTATE 428H8).
NOT SECURED
Specifies the trigger is considered not secure. Altering a trigger from secured to not secured fails if the trigger is defined on a table for which row or column level access control is activated (SQLSTATE 428H8). Similarly, altering a trigger from secured to not secured fails if the trigger is defined on a view and one or more of the underlying tables in that view definition has row or column level access control activated (SQLSTATE 428H8).
Life would not be complete if we did not provide you with SQL statements to managed your RCAC row and column access rules.
The CREATE PERMISSION statement is one we say earlier in this discussion. Also the CREATE MASK statement (also seen and discussed earlier).
Both have the REPLACE option whereby if the permission or mask is not defined, it will be created. If it is defined, it can be replaced. A single statement for both.
Permissions and Masks can of course be altered to enable or disable them, dropped, to delete them from the database.
Finally the previously discussed ALTER TABLE .. ACTIVATE/DEACTIVATE statement. The ACTIVATE, if you recall, is required to make sure that even if the permission and mask are defined, that they will actually be used when accessing the table. It is a two step process.
In addition to the new statements for create permission and create mask, additionally there are three new scalar functions.
These are provided and quite useful for the search conditions within a permission definition.
In the first scalar function, the first argument is the user being checked upon. This is then followed by a list of roles. These roles are checked to see if the user is in any of these roles (such as Accounting, etc.). If yes, then the value of ‘1’ is returned from the scalar function.
We have similar definitions to check for inclusion in groups, and usage via a trusted-context connection.
Note that if you are interested in using LDAP roles, this can be easily done. LDAP roles would be groups as far as DB2 is concerned, so as long as you have configured DB2 to acquire groups from LDAP, then the VERIFY_GROUP_... function is all you need.
There are some restrictions and considerations you need to be aware of.
With respect to Automatic Data Movement … even the creator of the target table will not have access by default. Once RCAC controls are in place, access rules are maintained by those in the SECADM group.
For the examples that will be discussed during the next several slides, we are using this group of users and departments within the Great Toque Outdoors company. The table at the bottom of this slide shows the groups and roles that are assigned to each user. For the ACCOUNTING department, each user belongs the ACCOUNTING group at the OS level and in addition the customers are divided into three sub-groups (CUSTGROUPA, CUSTGROUPB, and CUSTGROUPC). Each member of the ACCOUNTING department is granted one of these customer group assignments to further restrict data row access through the use of table permissions.
Here we will go over a scenario for a CUSTOMERS and CUST_CRDT_CARD tables for the Great Toque Outdoors retail company. As was shown in the table at the bottom of the previous slide, the table access rules for the two tables are now detailed.
The permissions and (later on in this presentation) masks will be for the SALES and ACCOUNTING departments ONLY. All other individuals (including DBAs) will have no privileges on these tables.
From a table row permissions standpoint, members of the SALES department (a role in DB2) have access to all rows in both of these tables. The ACCOUNTING department is setup using both OS level groups and DB2 roles, the group ACCOUNTING and roles for each of the customer groups. So the ACCOUNTING group members can see all rows in the CUSTOMERS table, but only the CUST_CRDT_CARD table rows that match their customer group role. Other than these two groups of users, nobody else has row access to the tables (including DBAs). Of course, since the SECADM authority within the database controls RCAC, any user with this authority would have access to the data as well.
Further into the example, column masks will be discussed along with how masks can be used to protect columns.
Here is the actual DB2 syntax to implement the table permissions detailed on the previous slide for the employees in the Great Toque Outdoors Company. These two examples make use of the new scalar functions added to DB2 10 specifically for RCAC. For the first table (CUSTOMERS), the SALES role membership is verified for row access or the ACCOUNTING group membership is verified for row access. No one else has any row permissions on the CUSTOMERS table.
For the CUST_CRDT_CARD table, the SALES role verification is identical to the CUSTOMERS table. However, since we have broken the customer group into subsets of customers for each member of the ACCOUNTING department, both the group membership (ACCOUNTING) and the role membership (specified by the CUST_GROUP column value of the data row) are verified before row access is permitted.
Please note that this example shows that groups or roles can be verified against constant values (‘SALES’, ‘ACCOUNTING’) or actual column values within the table (CUST_GROUP).
Now we will look at the results of a query for Gunther in the ACCOUNTING department (CUSTGROUPA). Since Gunther is in the ACCOUNTING group and has the CUSTGROUPA role, he can view all customers in the CUST_CRDT_CARD table that have a CUST_GROUP value of CUSTGROUPA.
For the remainder of these usage examples, the concept of column masks will be introduced and we will look at the impact of row permissions and column masks on queries when they are used together for the full power of RCAC.
NOTE: For display purposes, the column names have been abbreviated in some cases (as shown in the SQL statement syntax, as an example GROUP is the CUST_GROUP column) and EXP_DATE is shown as a DATE value for readability.
For the create masks scenarios that will be discussed, there are the following data access rules to be implemented:
CUSTOMERS table
CUST_GROUP column can only be viewed by the SECURITY group members. All others will see the literal mask of “NONE”.
CUST_AGE column can only be viewed by the ACCOUNTING group members. All others will see the literal mask of 21.
CUST_EMAIL column can be viewed by the ACCOUNTING group or SALES role members. All others will see a mask of NULL.
MARITAL_STATUS_CODE column can only be viewed by the ACCOUNTING group. All others will see a mask of NULL.
CUST_CRDT_CARD table
CUST_GROUP column can only be viewed by the SECURITY group members. All others will see the literal mask of “NONE”.
Here are the SQL statements to create the first two masks on the CUSTOMERS table for the CUST_GROUP and CUST_AGE columns. Please note the new functions (VERIFY_GROUP_FOR_USER and VERIFY_ROLE_FOR_USER) being used as part of the mask definitions.
Since the column mask name must be unique within the database (not at the table level, but across the database, it is a good practice to incorporate the table name as part of the column mask name.
Here are the remaining two column masks for the CUSTOMERS table; for CUST_EMAIL and MARITAL_STATUS_CODE columns. For CUST_EMAIL, either the SALES role or ACCOUNTING group members can view the actual e-mail address. For MARITAL_STATUS_CODE, only the ACCOUNTING group can access the column contents, everyone else will see a NULL value.
Finally, there is a single column mask for the CUST_CRDT_CARD table and this is for the CUST_GROUP column, where only the SECURITY role members can view the contents of the CUST_GROUP column. Everyone else will see the literal value of “NONE”.
Prior to reviewing some additional examples of RCAC permission and mask usage, the table permission and mask rules will be reviewed for both the CUSTOMERS and CUST_CRDT_CARD tables. This slide shows the table level permissions and the column masks that are in effect for the CUSTOMERS table. As the table shows, only the SALES role and ACCOUNTING group have permissions to access rows within CUSTOMERS. The sub-groups for CUST_GROUP, the CUSTGROUPA, B, and C roles within the ACCOUNTING department (group) are not utilized for CUSTOMERS. The column masks are on the AGE, MARITAL_STATUS_CODE , CUST_GROUP, and CUST_EMAIL columns and apply to the SALES role and ACCOUNTING group. Since the DBA role has no access to the CUSTOMERS table, the masks do not take effect. For the CUST_GROUP column, only the SECURITY role has access to view the column contents, everyone else (including SALES and ACCOUNTING) sees the literal value of “NONE”.
For the CUST_CRDT_CARD table, the sub-groups (CUSTGROUPA, B, and C roles) within the ACCOUNTING department are used to restrict table row access to only those rows with the same customer group as the person issuing the query or within the SALES role. As far as column masking, only the CUST_GROUP column is masked and all users outside of the SECURITY role view “NONE” for the CUST_GROUP column value.
Now we will look at the results of a query for Gunther in the ACCOUNTING department (CUSTGROUPA) when both row permissions and column masks are enabled. Since Gunther is in the ACCOUNTING group and has the CUSTGROUPA role, he can view all customers in the CUST_CRDT_CARD table that have a CUST_GROUP value of CUSTGROUPA.
If a comparison between this query result and the prior query (identical SQL statement) results (row permissions only) on slide 27, the difference is in the GROUP column display, as all group column values are masked as “NONE” for people outside of the security group.
NOTE: The number of rows returned by the query is based on the row permissions on the table ONLY. The table column masks do NOT change the result of the query, they simply control what column values are displayed for the individual that issues the query.
Now we will look at the results of the previous query for Moe in the ACCOUNTING department (CUSTGROUPC) when both row permissions and column masks are enabled. Since Moe is in the ACCOUNTING group and has the CUSTGROUPC role, she can view all customers in the CUST_CRDT_CARD table that have a CUST_GROUP value of CUSTGROUPC.
If a comparison between this query result and the prior query (identical SQL statement) results executed by Gunther, you see that each person (Gunther and Moe) return a different result set due to the row permissions defined for the tables. Gunther returned 359 rows for the query, whereas Moe returned 384 rows for the query.
Now we will look at the results of a query for James in the SALES department (no subcategory) when both row permissions and column masks are enabled. Since James is in the SALES role, he can view all customers in the CUSTOMERS table, but the AGE and GROUP columns are masked. This example will highlight one of the considerations when implementing RCAC in terms of what constitutes a valid mask value. As the query results show, the GROUP column is masked to the literal “NONE” and the AGE column displays the value 21. Since the SALES role does not have AGE column access, they only see the masked value (in this case, the value of 21).
One of the things to keep in mind when creating masks is that the mask has to match the data type of the column. Using this example to illustrate this point, if the AGE column was masked to “ADULT” (which would make since for anyone over the age of 21), the mask would be created without error. However, when you execute queries against the table that apply the mask (for example, someone in the SALES role), an error will be received when the query is executed. Since the AGE column is an integer data type, the mask value was set to the integer value of 21 (indicating the person is an adult, but you don’t know view their actual age value).
Now we will look at the results of a query for Ed in the DBA department (no subcategory) when both row permissions and column masks are enabled. Since Ed is in the DBA role, he can view none of the customers in the CUSTOMERS table. In this example, the column masks do not get applied, as the data row permissions prevent the access of any table data by Ed and at least one row must be returned for the column masks to change the data displayed to the person executing the query.
The presentation will conclude with some useful tips to consider when implementing RCAC within your DB2 ESE environment. Both database roles and operating system groups (along with any DB2 system variable) can be combined within RCAC to provide further sub-categories of access.
When defining column masks, remember the following rules to avoid SQL statement errors after implementation; (1) literal masks must match the data type defined for the column, and (2) NULL masks are ONLY valid if the table column being masked allows NULLs.
Finally, although permissions and masks are defined at the table level, the permission and mask names must be UNIQUE within the database. Although each permission or mask applies to a single table, the names are stored at the database level. Therefore, it is a good practice to include the table name as part of the permission or mask name when defining RCAC rules. If you believe the statement syntax is correct and receive an error upon executing the CREATE PERMISSION or CREATE MASK statement, check the error to see if it is related to the name already existing.
RCAC works well with current permissions in the database. Here we simply summarize RCAC.