IBM Data & AI

 Welcome to the IBM Data & AI Ideas Portal for Clients! 

We welcome and appreciate your feedback on IBM Data & AI Products to help make them even better than they are today!
Before you submit an idea, please perform a search first as a similar idea may have already been reported in the portal.  If a related idea is not yet listed, please create a new idea and include with it a description which includes expected behavior as well as why having this feature would improve the service and how it would address your use case.
IBM Employees:
Clients:
  • Our team welcomes any feedback  and suggestions you have for improving our offerings / products!  This forum allows us to connect your offering / product improvement ideas with IBM product and engineering teams.
  • If you have not registered on this portal please click on the following link and register.  To complete registration you will need to open the email you will receive from Aha to confirm your identity. http://ibm.biz/IBM-Data-and-AI-Portal-Register
Additional Information:
  • The shorter URL for this site is: https://ibm.biz/IBM-Data-and-AI-Ideas
  • To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps
  • Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases
  • Please do not use the Ideas Portal for reporting bugs - we ask that you report bugs or issues with the product by contacting IBM support.

Limiting functions allowed on particular DDF alias

Company security policy require some functions be segregated by network firewalls / zones to ensure only required devices can access them. For example if I could create a new DDF listener modify DDF ALIAS(DB2SSEC) SECPORT(14802) network firewalls could then restrict this port to only required devices. to complete the segregation then we need a way to limit this port / ddf alias to just the stored procedures/ users we want to permit.
 
 

  • Stephen McLennan
  • Jun 24 2019
  • Not Under Consideration
Why is it useful?
Who would benefit from this IDEA? Sites that have similar sec policy that doesn't fit enterprise zos hosting numerous connections and diverse apps. Ability to tighten some components to suit policy is beneficial.
How should it work?

1) this could be achieved in a application managed way by exposing a new DB2 building function or global variable or similar that allows the application stored procedure to determine what DDF port or DDF Alias is being used. If it is not the known network secured / tightened port 14802 or Alias DB2SSEC then the code would exit with an error.

alternatively it could be some new security concept in DB2 that would allow only some permitted functions for a DDF alias. Eg

Permit user xx execute on proc yy DDF DB2SSEC

Permit no access on proc yy DDF not DB2SSEC

2) Measure of success is ability to restrict the new port to just the functions we want it to be able

3) current workaround is to scope large application offload from zos to dedicated server

Idea Priority Urgent
Priority Justification Ranked urgent as we have no workaround and business considers this a risk that needs urgent address
Customer Name Macquarie Group Limited
Submitting Organization
Submitter Tags
  • Attach files
  • Jim Pickel commented
    1 Jul, 2019 08:00pm

    Have you looked at using a Db2 TRUSTED CONTEXT to limit functions by a client by associating a Db2 ROLE to the Db2 process? In your example, you would permit ROLE rr on PROC yy and then associate user xx to the ROLE rr only from specific IP addresses or domains.

    Jim Pickel
    Senior Technical Staff Member
    Db2 for z/OS Development
    Security and Connectivity
    Silicon Valley Laboratory

    mobile: 408-497-6320
    email: pickel@us.ibm.com

    [signature_2074763271]

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions