Company security policy require some functions be segregated by network firewalls / zones to ensure only required devices can access them. For example if I could create a new DDF listener modify DDF ALIAS(DB2SSEC) SECPORT(14802) network firewalls could then restrict this port to only required devices. to complete the segregation then we need a way to limit this port / ddf alias to just the stored procedures/ users we want to permit.
|Who would benefit from this IDEA?||Sites that have similar sec policy that doesn't fit enterprise zos hosting numerous connections and diverse apps. Ability to tighten some components to suit policy is beneficial.|
How should it work?
1) this could be achieved in a application managed way by exposing a new DB2 building function or global variable or similar that allows the application stored procedure to determine what DDF port or DDF Alias is being used. If it is not the known network secured / tightened port 14802 or Alias DB2SSEC then the code would exit with an error.
alternatively it could be some new security concept in DB2 that would allow only some permitted functions for a DDF alias. Eg
Permit user xx execute on proc yy DDF DB2SSEC
Permit no access on proc yy DDF not DB2SSEC
2) Measure of success is ability to restrict the new port to just the functions we want it to be able
3) current workaround is to scope large application offload from zos to dedicated server
|Priority Justification||Ranked urgent as we have no workaround and business considers this a risk that needs urgent address|
|Customer Name||Macquarie Group Limited|