Show TOC Start of Content Area

Background documentation Security Considerations for Stored Procedures  Locate the document in its SAP Library structure

 

Up to release 6.20, JCL jobs were executed by logging on via FTP to the z/OS system as the SAP user that has scheduled the DBA action. For this reason, you had to have a TSO user that has the same name as the SAP user and needed to maintain your password in the JES Interface (transaction DB2J, button Password).

Stored Procedures are executed by different users depending on your application server setup:

...

       1.      For an SAP central services instance on z/OS, it is the user who started the SAP system. Normally this is the <sapsid>adm user.

       2.      For application servers connecting via DB2 Connect, it is the user connecting to DB2. Normally, this is the DB Connect user. For more information, see Setting Up DB2 Connect User ID and Password.

In order to ensure a successful execution of the Stored Procedures, the executing user needs an OMVS segment.

Security Implications

Regarding point 1:

This poses no security threat because <sapsid>adm user already has an OMVS segment.

The main advantage is that you no longer need to maintain your TSO password in JES Interface (transaction DB2J, button Password).

Regarding point 2:

DB Connect user should have a password that does not expire (see Setting Up DB2 Connect User ID and Password). Some companies’ security policies may prohibit giving this user an OMVS segment. Therefore, the security model is maintainable in the JES Interface (transaction DB2J, button Profile Parameters):

·        If you choose DB2 Connect User, the DB2 Connect User needs an OMVS segment. This is the most comfortable solution, because you do not need to maintain your TSO password in JES Interface (transaction DB2J, button Password) anymore. It is standard to secure SAP by placing database and application servers behind a firewall. If you adhere to this standard, the impact on security is limited.

·        If you choose Administrator, then the old behavior is emulated, by performing a multiconnect to DB2 under the authority of the administrator. Each administrator has to have an SAP user with the same name as his TSO ID and has to maintain his own password. The DBA actions will be executed under the administrator’s TSO user that has scheduled it.

·        If you choose User, then you have to specify a user in the related input field that needs an OMVS segment and DB2 SYSCTRL authority. All DBA actions are executed under this user by performing a multiconnect to DB2 under this user’s authority. The advantage is that only this user’s password has to be maintained, and not all SAP administrators need an identically named TSO user to execute DBA actions.

Regarding Security Models with DB2 Connect User and User:

Security Models 1 and 3 are protected from uncontrolled JCL job execution by the SAP security system. In order to execute the relevant administrative transactions, you need operator profile S_A.ADMIN or S_DB_DBADM. Security Model 3 is the recommended option, because SAP support will be able to help you when logged on to your system without needing an identically named TSO user, which is often not possible due to company policies.

 

End of Content Area