Multilevel Security and DB2 Row-Level Security Revealed.

Front cover -- Contents -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Part 1 Multilevel security -- Chapter 1. MLS overview -- 1.1 What is multilevel security -- 1.2 Why multilevel security -- 1.3 Access Controls -- 1.4 Introduction to Mandatory Access Control -- 1.4.1 Security labels -- 1.4.2 Dominance, equivalence, and disjoint -- 1.4.3 MAC Access -- 1.5 Multilevel security in z/OS with RACF -- 1.5.1 SECLABELs -- 1.5.2 Multilevel security in action -- 1.6 DB2 and multilevel security -- 1.7 Before turning on multilevel security -- 1.8 Multilevel security vocabulary -- 1.9 Common Criteria -- 1.9.1 zSeries 990 Achieves Prestigious EAL5 Assurance Certification -- 1.9.2 eServer zSeries running z/OS -- Chapter 2. Security labels -- 2.1 Security labels and data classification policies -- 2.2 Mandatory access control -- 2.3 Discretionary access control -- 2.4 Security levels and Security categories -- 2.5 Defining security labels -- 2.6 Authorizing users to access security labels -- 2.7 Using security labels -- 2.8 Dominance -- 2.8.1 Comparing security labels -- 2.9 Security label authorization checking -- 2.10 Using system-specific security labels in a sysplex -- Chapter 3. Implementing MLS -- 3.1 Background -- 3.2 Defining SECLABEL names for your situation -- 3.3 Defining resource names to RACF -- 3.4 Defining the attributes of resources -- 3.5 Notes from the MLS book -- 3.5.1 System tasks that we did customize -- 3.5.2 System tasks that we did not customize -- Chapter 4. MLS as applied to TCP/IP communications -- 4.1 z/OS TCP/IP and the SERVAUTH class -- 4.1.1 Stack access control -- 4.1.2 Network access control -- 4.1.3 The notion of port of entry (POE) -- 4.2 The MLS networking environment -- 4.2.1 Some MLS basics (again).

4.3 Setting up MLS for z/OS TCP/IP communications -- 4.3.1 Our test configuration -- 4.3.2 Our test -- 4.4 The big theoretical picture - TCP -- 4.4.1 Sequence of events -- Part 2 DB2 Security -- Chapter 5. DB2 access control overview -- 5.1 Authorization IDs for accessing data within DB2 -- 5.1.1 Processing connections -- 5.1.2 Processing sign-ons -- 5.2 DB2 managed security -- 5.3 DB2 external security -- Chapter 6. DB2 V8 and multilevel security -- 6.1 Multilevel security in DB2 -- 6.2 Row-level security as a subset of multilevel security -- 6.2.1 The need for row-level security -- 6.2.2 DB2 solutions -- 6.2.3 New concepts for DB2 people -- 6.2.4 RACF requirements for basic SECLABEL processing -- 6.2.5 RACF built-in security labels -- 6.2.6 Using security labels -- 6.2.7 Write-down in DB2 -- 6.2.8 DB2 row-level security implementation -- 6.2.9 Accessing data in a table defined with row-level security -- 6.2.10 Summary -- 6.3 Additional considerations about row-level security -- 6.3.1 DB2 utilities and multilevel security -- 6.3.2 Security labels and indexes -- 6.3.3 Restrictions when using multilevel security with row granularity -- 6.3.4 DB2 session variable -- 6.3.5 Using views to restrict access -- 6.4 DB2 multilevel security implementation at the object level -- 6.5 Sample scenario -- 6.5.1 Preparation steps -- 6.5.2 Row-level security applied on SELECT -- 6.5.3 Row-level security applied on INSERT -- 6.5.4 Row-level security applied on UPDATE -- 6.5.5 Row-level security applied on DELETE -- 6.5.6 RACF-controlled write-down -- 6.6 Real-world implementation -- 6.6.1 Introduction -- 6.6.2 Preparation suggestions -- 6.6.3 A suggested procedure -- 6.6.4 Designing the population process -- Chapter 7. RACF access control module -- 7.1 z/OS environment -- 7.1.1 Security labels -- 7.1.2 RACF access control module -- 7.1.3 DB2 -- 7.2 Scenarios.

7.2.1 Scenario 1. SETR MLS not active -- 7.2.2 Scenario 2. SETR MLS active -- 7.2.3 Scenario 3. SETR MLS not active, RACF profile protection used -- 7.2.4 Scenario 4. SETR MLS not active, RACF profile protection with SECLABELs in profiles -- 7.2.5 Scenario 5. SETR MLS active, RACF profile protecting without SECLABELs in profile -- 7.2.6 Scenario 6. SETR MLS and SETR MLACTIVE active, RACF profile protection -- 7.2.7 Scenario 7 -- 7.3 Conclusion -- Part 3 Appendixes -- Appendix A. RACF options that control the use of security labels -- RACF options that control the use of security labels -- COMPATMODE and NOCOMPATMODE -- MLACTIVE and NOMLACTIVE -- MLFSOBJ -- MLIPCOBJ -- MLNAMES and NOMLNAMES -- MLQUIET and NOMLQUIET -- MLS and NOMLS -- MLSTABLE and NOMLSTABLE -- SECLABELAUDIT and NOSECLABELAUDIT -- SECLABELCONTROL and NOSECLABELCONTROL -- SECLBYSYSTEM and NOSECLBYSYSTEM -- Appendix B. APAR PQ94303 -- Related publications -- Other publications -- Referenced Web sites -- How to get IBM Redbooks -- Help from IBM -- Index -- Back cover.