Start of Content Area

Background documentation Security Considerations for Stored Procedures  Locate the document in its SAP Library structure

 

Stored procedures are executed the user connecting to DB2. In order to ensure a successful execution of the stored procedures, the executing user needs an OMVS segment and the authority to execute the action in question.

For your convenience, the security model is maintainable in the JES Interface (transaction DB2J, button Profile Parameters):

·        If you choose DB2 Connect User, the DB2 Connect User needs an OMVS segment. This is the most comfortable solution, because you do not need to maintain your TSO password in JES Interface (transaction DB2J, button Password) anymore. It is standard to secure SAP by placing database and application servers behind a firewall. If you adhere to this standard, the impact on security is limited.

On the other hand, DB2 Connect user should have a password that does not expire (see Setting Up DB2 Connect User ID and Password in the SAP DBA Guide for DB2). Some company’s security policies may prohibit giving this user an OMVS segment.

·        If you choose Administrator, then the old behavior is emulated, by performing a multiconnect to DB2 under the authority of the administrator. Each administrator has to have an SAP user with the same name as his TSO ID and has to maintain his own password. The DBA actions will be executed under the administrator’s TSO user that has scheduled it.

·        If you choose User, then you are able to specify a user in the related input field. All DBA actions are executed under this user by performing a multiconnect to DB2 under this user’s authority. The advantage is that only this user’s password has to be maintained, and not all SAP administrators need an identically named TSO user to execute DBA actions.

Regarding Security Models with DB2 Connect User and User

Security Models 1 and 3 are protected from uncontrolled JCL job execution by the SAP security system. In order to execute the relevant administrative transactions, you need operator profile S_A.ADMIN or S_DB_DBADM. Security Model 3 is the recommended option, because SAP support will be able to help you when logged on to your system without needing an identically named TSO user, which is often not possible due to company policies.

Regarding Security Models with Administrator and User

The user, that will execute the DBA actions needs the following authorities in the DB2 subsystem:

·        Either authority SYSADM

·        Authority SYSCTRL, EXECUTE on the DB2 Connect Package and SELECT on all DB2 catalog tables

This can be best achieved with the db2radm tool as detailed SAP Note 843808. For example, issue the following command on OS system console where your application server runs:

db2radm -m db2i -L <DDF-Location> -P <DDF-Port> -S <SSID> -H  <hostname>                                                    

The following options can be used:

·        -Q <user, that will execute the DBA actions>

·        -U<user, that will execute the DBA actions>

·        -u <Granting user, needs SYSADM authority>

·        -p<Password of granting user>

Option -C<CollectionID> should be ommitted, if the connection named 'Default' is not configured in table DBCON. If it is configured and the parameter PS is maintained in column CON_ENV, then the option should be identical to this parameter.

End of Content Area