db2 for i updates - ibm.com€¢ program & package statement level statistical catalogs ... •...

Click to edit Master subtitle style

© 2016 IBM Corporation

IBM i テクニカル・ワークショップ 2016

DB2 for i updates

Jesse R. Gorzinski, MBA

IBM i Emerging Solutions

[email protected]


2


Agenda

• TR3/TR11 updates

• IBM i Services

• DB2 security enhancements




TR3/TR11 updates


4


DB2 for i – Enhancements delivered via DB2 PTF GroupsIBM i 7.1 & 7.2

TR7

Enhancements delivered by PTF are documented here:

www.ibm.com/developerworks/ibmi/techupdates/db2

2014 20157.1 - TR8

7.1 - TR97.2 – TR1

7.1 - TR8&TR9 timed Enhancements:

• Generate SQL procedure

• Program & Package statement level

statistical catalogs

• Pipelined Functions

• Regular Expressions

• Padding Scalar Functions

SF99701 Level 26

SF99701 Level 29

SF99701 Level 32SF99702 Level 3

SF99701 Level 38 SF99702 Level 9

SF99701 Level 34 SF99702 Level 5

7.1 – TR107.2 – TR27.2 - GA

SF99702 Level 1

7.2 – TR1 timed Enhancements:

• CREATE OR REPLACE

support on MASK and

PERMISSION

• DB2 Built-in Global Variables

for job name

• System Limits Phase 3 - IFS

• And more…

7.1 – TR117.2 – TR3

TR2 / TR10 Enhancements

• Create OR REPLACE

table

• JSON – DB2 Store

Technology Preview

• SQE Performance

improvements

• And more…

Enhancements in TR3 / TR11:

• LIMIT and OFFSET

• Guardium V10 and other database

security monitoring enhancements

• SQE Performance improvements

• More IBM i Services

• New SQL built-in functions

• Enhancements for SAP on i clients


5


DB2 for i – Application Development

SQL Programming enhancements

• LIMIT and OFFSET

• Remote 3-part name support on ASSOCIATE LOCATOR

• CREATE VARIABLE <name> FOR SYSTEM NAME <srvpgm-name>

• Remove the 8-80 Column restriction for RPG (SQL Precompiler)

• Debugger improvements for LANGUAGE SQL users

Query enhancements

• Views with Global variables in the WHERE clause can be insert-able

• New Scalar functions

o OVERLAY

o LOCATE_IN_STRING & INSTR


6


LIMIT and OFFSET

• LIMIT and OFFSET support is popular, but non-standard

The DB2 Family recently decided to add the support

• This style of data access is most useful for those cases where you only need a subset (page) of rows

• The offset-clause is only allowed as part of the outer fullselect of a DECLARE CURSOR statement

or a prepared select-statement

• Initially, there is no support in STRSQL

Syntax Alternative Syntax Action

LIMIT x FETCH FIRST x ROWS ONLY Return the first x rows

LIMIT x OFFSET y OFFSET y ROWS FETCH FIRST x ROWS ONLY Skip the first y rows and

return the next x rows

LIMIT y , x OFFSET y ROWS FETCH FIRST x ROWS ONLY Skip the first y rows and

return the next x rows


7


OFFSET and LIMIT for Stateless Pagination

Connect,

SELECT…OFFSET 0 LIMIT 5 Fetch 5 rows, Close, Disconnect

Connect,


Connect,


Result set

Row

Number

Ordering

Data

Unique key

(Encrypted)

1 Abcd 1234

2 Abdc 3214

3 Acbd 4131

4 Acdb 2143

5 Bacd 1243

6 Bacd 2341

7 Bcad 4213

8 Bcda 3142

9 Bdac 1423

10 Bdca 2431

11 Bdca 3412

12 Cadb 1324

13 Cbad 4321


8


LIMIT and OFFSET

CREATE OR REPLACE PROCEDURE TOYSTORE.FIND_EMPLOYEES(IN P_PAGESIZE BIGINT, IN P_OFFSET BIGINT)

DYNAMIC RESULT SETS 1LANGUAGE SQL

BEGIN DECLARE V_PREP_STMT1 VARCHAR(4096) ; DECLARE CEMP_RESULT_SET1 CURSOR

WITH RETURN FOR PREP_STMT1; SET V_PREP_STMT1 = 'SELECT EMPNO, HIREDATE, LASTNAME FROM

TOYSTORE.EMPLOYEE ORDER BY HIREDATE DESC LIMIT ? OFFSET ?';

PREPARE PREP_STMT1 FROM V_PREP_STMT1 ; OPEN CEMP_RESULT_SET1 USING P_PAGESIZE, P_OFFSET;

END;

CALL TOYSTORE.FIND_EMPLOYEES(10, 0);CALL TOYSTORE.FIND_EMPLOYEES(10, 10);

Page 1

Page 2


9


Flexible Views

• Traditional views are based upon a query that is locked in at create time

• Views with WHERE clause references to DB2 built-in global variables or DB2 global variables are flexible

• With the latest DB2 PTF Group, these views are eligible to be insertable, updateable, and deletable

Traditional View

Department

Determine rows

at CREATE

VIEW time

Flexible View

Department

Determine rows

when queried

Global

Variable(s)


10


Flexible Views

CREATE OR REPLACE VARIABLE TOYSTORE.CURRENT_DEPARTMENTFOR SYSTEM NAME CUR_DEPT CHAR(3) DEFAULT 'D21' ;

CREATE OR REPLACE VIEW TOYSTORE.DEPARTMENT_VIEW FOR SYSTEM NAME DEPTV ASSELECT DEPTNO, DEPTNAME, MGRNO , ADMRDEPT, LOCATION FROM TOYSTORE.DEPARTMENT

WHERE TOYSTORE.CURRENT_DEPARTMENT = DEPTNO;

-- Update rows where DEPTNO = 'D21'UPDATE TOYSTORE.DEPARTMENT_VIEW SET LOCATION = 'Kingston';

-- Insert a new rowINSERT INTO TOYSTORE.DEPARTMENT_VIEW

VALUES('D33', 'Gardening and landscaping', '000110', 'A00', NULL);

Enhancement


12


Availability enhancement

• Improved internal management of SQL packages for SAP clients

Use the SQL_STMT_COMPRESS_REUSE_MIN QAQQINI control to

extend the lifespan of a Process Extended Dynamic *SQLPKG

0 (default) The statement reuse count is not considered when

performing package compression

1-32767 The minimum number of times a statement has to be

reused in order for it to remain in the package at compression time

DB2 for i – Performance

INSERT INTO QUSRSYS.QAQQINI

VALUES('SQL_STMT_COMPRESS_REUSE_MIN', 5, DEFAULT)


13


• EVIs are improved through an enhanced in-memory oriented access capability via its patented

database EVI (Encoded Vector Index) technology to facilitate enhanced aggregate query

performance.

• EVIs traditionally focus on selection keys with low cardinality

• With this enhancement, EVIs can be used for projection of column values

Example performance benefit: SELECT COUNT(DISTINCT(fld1)) WHERE fld2 < 'value'

EVI Only Access (EOA)

With EOA, the

SAP BW-EML Benchmark

Improved by more than 20%



DB2 for i Services


15


http://ibm.biz/DB2foriServices

2015 2016

Services in 2Q/2015:

• ACTIVE_JOB_INFO()

• SCHEDULED_JOB_INFO

• SERVER_SBS_ROUTING

• SET_SERVER_SBS_ROUTING()

• DRDA_AUTHENTICATION_ENTRY_INFO

• JVM_INFO

• SET_JVM()

Services in 2014:

• JOURNAL_INFO

• LIBRARY_LIST_INFO

• REPLY_LIST_INFO

• JOBLOG_INFO()

• SYSTMPSTG (7.2)

• DB2 for i built-in Global Variables (7.2)

• JOB_NAME (7.2)

• SERVER_MODE_JOB_NAME (7.2)

• SYSTOOLS.GROUP_PTF_CURRENCY


• MEMORY_POOL_INFO

• SYSTEM_STATUS_INFO

• LICENSE_INFO

• OBJECT_LOCK_INFO

• RECORD_LOCK_INFO

• OUTPUT_QUEUE_ENTRIES

• MEDIA_LIBRARY_INFO

• NETSTAT_INFO

• NETSTAT_JOB_INFO

• NETSTAT_INTERFACE_INFO

• NETSTAT_ROUTE_INFO

• SYSTOOLS.GROUP_PTF_DETAILS


• OUTPUT_QUEUE_INFO

• ENVIRONMENT_VARIABLE_INFO

• SERVICES_INFO

• Services & SQL dependency management

• Enhanced NETSTAT services

• Enhanced SET_SERVER_SBS_ROUTING()

• Enhanced System Limits

• Enhanced DISPLAY_JOURNAL()

• Enhanced OBJECT_STATISTICS (7.3 only)

• AUTHORITY_COLLECTION (7.3 only)

7.2 – TR27.2 – TR1 7.2 – TR37.2 – TR47.3 – GA

IBM i Services for SQL users


20


SELECT * from SYSTOOLS.GROUP_PTF_CURRENCY WHERE PTF_GROUP_RELEASE = ‘R720’ORDER BY ptf_group_level_available -ptf_group_level_installed DESC;

Current

or behind

on

service?

PTF Group

Info

Level

installed

on this

partition

Level

available

from IBM

Date that

IBM last

updated

this group

Live comparison of PTF Group levels via IBM PSP feed

SYSTOOLS.GROUP_PTF_CURRENCY View


23


SELECT journal_code, journal_entry_type, object, object_type, X.*

FROM TABLE ( QSYS2.Display_Journal(

'PRODDATA', 'QSQJRN', -- Journal library and name

'', '', -- Receiver library and name

CAST(null as TIMESTAMP), -- Starting timestamp

CAST(null as DECIMAL(21,0)), -- Starting sequence number

'', -- Journal codes

'', -- Journal entries

'',‘’,'',‘', -- Object library, Object name, Object type, Object member

‘SCOTT', -- User

'', -- Job

'' -- Program

) ) AS x ORDER BY entry_timestamp DESC;

Before 7.2 (must specify all 15 parameters, in order):

With 7.2 or 7.3 (leverage default & named parameters):

SELECT journal_code, journal_entry_type, object, object_type, X.* FROM TABLE (QSYS2.Display_Journal('PRODDATA', 'QSQJRN', -- Journal library and name“USER” => ‘SCOTT’ -- User) ) AS xORDER BY entry_timestamp DESC;

QSYS2.Display_Journal – User Defined Table Function


24


--

-- Who deleted objects in the TOYSTORE1 library?

--

SELECT "CURRENT_USER", journal_code, journal_entry_type, object, object_type, X.*

FROM TABLE (

QSYS2.Display_Journal(

'QSYS', 'QAUDJRN', -- Journal library and name

OBJECT_LIBRARY => 'TOYSTORE1',

JOURNAL_ENTRY_TYPES => 'DO' -- Deleted object

) ) AS x WHERE OBJECT LIKE '%TOYSTORE1%'

ORDER BY entry_timestamp DESC;

DISPLAY_JOURNAL() – Did any objects get deleted?


26


-- Which rows were deleted from TOYSTORE5/SALES table this week?

select ENTRY_DATA,ENTRY_TIMESTAMP,JOURNAL_ENTRY_TYPE,COUNT_OR_RRN as ROW_DELETED,"CURRENT_USER", RTRIM(JOB_NUMBER) CONCAT '/' CONCAT RTRIM(JOB_USER) CONCAT '/' CONCAT RTRIM(JOB_NAME) AS Qualified_Job_Name from table (


'TOYSTORE', 'QSQJRN', -- Journal library and name

STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS,

JOURNAL_ENTRY_TYPES => 'DL',

OBJECT_LIBRARY => 'TOYSTORE',

OBJECT_NAME => 'SALES',

OBJECT_OBJTYPE => '*FILE',

OBJECT_MEMBER => 'SALES'

) ) as x

order by entry_timestamp desc ;

DISPLAY_JOURNAL() – Who deleted data?


27


-- What data was deleted from PRODDATA/SALES table this week?

select

cast(cast(substring(entry_data,610-610+1,10) as VARCHAR(10) for bit data) as DATE) AS SALES_DATE,

cast(cast(substring(entry_data,622-610+1,15) as VARCHAR(15) for bit data) as varchar(15) ccsid 37) as SALES_PERSON,

cast(cast(substring(entry_data,638-610+1,15) as VARCHAR(15) for bit data) as varchar(15) ccsid 37) as REGION,

cast(cast(substring(entry_data,655-610+1,4) as VARCHAR(4) for bit data) as varchar(4)) as SALES

from table (


'TOYSTORE', 'QSQJRN', -- Journal library and name

STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS,

JOURNAL_ENTRY_TYPES => 'DL',

OBJECT_LIBRARY => 'TOYSTORE',

OBJECT_NAME => 'SALES',

OBJECT_OBJTYPE => '*FILE',

OBJECT_MEMBER => 'SALES'

) ) as x

order by entry_timestamp desc;

DISPLAY_JOURNAL() – What data did they delete?


29


• The new view return the same data as the Retrieve System Values

(QWCRSVAL) API

• *ALLOBJ or *AUDIT special authority is required to retrieve the values for

QAUDCTL, QAUDENDACN, QAUDFRCLVL, QAUDLVL, QAUDLVL2, and

QCRTOBJAUD

(‘*NOTAVL’ or -1 are returned when accessed by an unauthorized user):

-- Examine the system values related to maximums

SELECT * FROM QSYS2.SYSTEM_VALUE_INFOWHERE SYSTEM_VALUE_NAME LIKE '%MAX%' ORDER BY SYSTEM_VALUE_NAME;

QSYS2.SYSTEM_VALUE_INFO – view


34


The ACTIVE_JOB_INFO table function returns one row for every active job.

The information returned is similar to the detail seen from the Work with Active

Jobs (WRKACTJOB) command and the Open List of Jobs (QGYOLJOB) API.

The ACTIVE_JOB_INFO table function has two uses:

1. To retrieve details for active jobs.

Optional parameters can be used to filter the jobs.

2. To measure elapsed statistics for active jobs.

An optional parameter can be used to reset statistics.

UDTF Parameters:

1. RESET_STATISTICS (YES or NO)

Establish a new baseline for elapsed time measurements

2. SUBSYSTEM_LIST_FILTER

Optional list of up to 25 subsystem names

3. JOB_NAME_FILTER

Optional generic name or special values

4. CURRENT_USER_LIST_FILTER

Optional list of up to 10 user profile names

QSYS2.ACTIVE_JOB_INFO() – UDTF

Additional filtering can be

used on the WHERE

clause


35


---- Find the top CPU consumers in active Host Server jobs--SELECT JOB_NAME, AUTHORIZATION_NAME, ELAPSED_CPU_PERCENTAGE,ELAPSED_TOTAL_DISK_IO_COUNT, ELAPSED_PAGE_FAULT_COUNT, X.*

FROM TABLE(QSYS2.ACTIVE_JOB_INFO(JOB_NAME_FILTER => 'QZDASOINIT',SUBSYSTEM_LIST_FILTER => 'QUSRWRK')) x

ORDER BY ELAPSED_CPU_PERCENTAGE DESCLIMIT 10

QSYS2.ACTIVE_JOB_INFO() – UDTF


36


---- Find the longest running SQL statements--WITH ACTIVE_USER_JOBS (Q_JOB_NAME, CPU_TIME, RUN_PRIORITY) AS (SELECT JOB_NAME, CPU_TIME, RUN_PRIORITY FROM TABLE(QSYS.ACTIVE_JOB_INFO('NO','','','')) x WHERE JOB_TYPE <> 'SYS'

) SELECT Q_JOB_NAME, CPU_TIME, RUN_PRIORITY, V_SQL_STATEMENT_TEXT, ABS(CURRENT TIMESTAMP - V_SQL_STMT_START_TIMESTAMP) AS SQL_STMT_DURATION, B.* FROM ACTIVE_USER_JOBS,

TABLE(QSYS2.GET_JOB_INFO(Q_JOB_NAME)) B WHERE V_SQL_STMT_STATUS = 'ACTIVE'ORDER BY SQL_STMT_DURATION DESC

QSYS2.GET_JOB_INFO() – UDTF


37


-- Find active QSQSRVR jobs and the owning application job-- order the results by top CPU consumers

WITH tt (authorization_name, job_name, cpu_time, total_disk_io_count) AS (select authorization_name, job_name, cpu_time, total_disk_io_countfrom table(qsys2.active_job_info(SUBSYSTEM_LIST_FILTER=>'QSYSWRK',JOB_NAME_FILTER=>'QSQSRVR')) x)select authorization_name, ss.message_text, job_name, cpu_time,total_disk_io_count from tt, table(qsys2.joblog_info(job_name)) ss where message_id = 'CPF9898' and from_program = 'QSQSRVR'ORDER BY CPU_TIME DESC;

ACTIVE_JOB_INFO() & JOBLOG_INFO()


39


Use SQL to understand:

• What Group Profiles exist

• Which User Profiles belong to specific Group Profiles

• The text associated with the profile

Handles both:

Group profile . . . . . . . . . GRPPRF

Supplemental groups . . SUPGRPPRF

-- Examine all groups and the group membersSELECT * from qsys2.group_profile_entries;

QSYS2.GROUP_PROFILE_ENTRIES – view


40


• Built upon the data returned by the Retrieve User Information

(QSYRUSRI) API.

• Users see the data for any *USRPRF to which they have *READ

authority

• Setup details, authorizations, and more… easy access to deep details

-- Which users are having trouble signing on?

SELECT * FROM QSYS2.USER_INFO

WHERE SIGN_ON_ATTEMPTS_NOT_VALID > 3

QSYS2.USER_INFO – view


41


• Authority Collection usage scenarios…

---- Which users have authority collection detail?--SELECT AUTHORIZATION_NAME, AUTHORITY_COLLECTION_ACTIVE FROM QSYS2.USER_INFO WHERE AUTHORITY_COLLECTION_REPOSITORY_EXISTS = 'YES';

QSYS2.USER_INFO – view

---- Which users have ACTIVE authority collection on-going?--SELECT AUTHORIZATION_NAME, AUTHORITY_COLLECTION_REPOSITORY_EXISTS FROM QSYS2.USER_INFO WHERE AUTHORITY_COLLECTION_ACTIVE = 'YES';


42


---- Which users have *ALLOBJ authority either directly-- or via a Group or Supplemental profile?--SELECT AUTHORIZATION_NAME, STATUS,

NO_PASSWORD_INDICATOR, PREVIOUS_SIGNONFROM QSYS2.USER_INFOWHERE SPECIAL_AUTHORITIES LIKE '%*ALLOBJ%'OR AUTHORIZATION_NAME IN (

SELECT USER_PROFILE_NAMEFROM QSYS2.GROUP_PROFILE_ENTRIESWHERE GROUP_PROFILE_NAME IN (

SELECT AUTHORIZATION_NAMEFROM QSYS2.USER_INFOWHERE SPECIAL_AUTHORITIES like '%*ALLOBJ%')

) ORDER BY AUTHORIZATION_NAME

• Leverage multiple services to answer more interesting questions

USER_INFO & GROUP_PROFILE_ENTRIES –Views


43


• Query results…excess authority identified using SQL

USER_INFO & GROUP_PROFILE_ENTRIES –Views


44


The DRDA_AUTHENTICATION_ENTRY_INFO can be used to

assess, track and compare DRDA & DDM user access. Prior to this

catalog, the Display Server Authentication Entries (DSPSVRAUTE)

command had to be used, one user at a time.

-- Review the DRDA Authentication configurationSELECT * FROM QSYS2.DRDA_AUTHENTICATION_ENTRY_INFOORDER BY AUTHORIZATION_NAME, SERVER_NAME;

QSYS2.DRDA_AUTHENTICATION_ENTRY_INFO –View


45


• Built upon the data returned by the Retrieve User Information

(QSYRUSRI) API.

• Users see the data for any *USRPRF to which they have *READ

authority

• User storage is broken down by SYSBAS and iASPs

-- How much storage has user SCOTTF consumed?

SELECT * FROM QSYS2.USER_STORAGE

WHERE USER_NAME = ‘SCOTTF’;

QSYS2.USER_STORAGE – view


46


-- Review the top 10 storage consumers

SELECT A.AUTHORIZATION_NAME AS USER_NAME, SUM(A.STORAGE_USED) AS TOTAL_STORAGE_USED, B.MAXIMUM_ALLOWED_STORAGE

FROM QSYS2.USER_STORAGE A INNER JOIN QSYS2.USER_INFO B ON B.USER_NAME = A.AUTHORIZATION_NAMEWHERE ACCOUNTING_CODE <> ‘*SYS’

GROUP BY A.AUTHORIZATION_NAME, B.TEXT_DESCRIPTION,B.ACCOUNTING_CODE, B.MAXIMUM_ALLOWED_STORAGE

ORDER BY TOTAL_STORAGE_USED DESC LIMIT 10

QSYS2.USER_STORAGE – view

'


49


• Observe System-wide Temporary storage consumption

• Read all about it in IBM Knowledge Center:

www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzajq/rzajqviewsys

tmpstg.htm

-- Which active jobs are the top consumers of temp storage?

SELECT bucket_current_size, bucket_peak_size,

rtrim(job_number) concat '/' concat rtrim(job_user_name) concat '/' concat rtrim(job_name) as q_job_name

FROM QSYS2.SYSTMPSTG

WHERE job_status = '*ACTIVE'

ORDER BY

bucket_current_size desc;

QSYS2.SYSTMPSTG – view

http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzajq/rzajqviewsystmpstg.htm


50


Client/server identification, logging and other instrumentation is possible

using SQL. The TCPIP_INFO view returns detailed information for the

current connection.

SELECT * from QSYS2.TCPIP_INFO

Well defined port numbers - http://bit.ly/ibmiPorts

QSYS2.TCPIP_INFO – view

http://bit.ly/ibmiPorts


52


QSYS2. ENVIRONMENT_VARIABLE_INFO –View

• The Work with Environment Variable (WRKENVVAR)

command lacks OUTFILE support,

• The command doesn’t return PASE environment variables

---- Retrieve the environment variables for the-- current connection--SELECT * FROM QSYS2.ENVIRONMENT_VARIABLE_INFO;


53


• The Work with Environment Variable (WRKENVVAR) command

lacks OUTFILE support, doesn’t return PASE environment

variable

• This service also returns binary versions of the environment variable

names and values

---- Retrieve the environment variables for the-- current connection--SELECT * FROM QSYS2.ENVIRONMENT_VARIABLE_INFO;


54


• Now you can use SQL to query the job log

• Each row returned is a message from the job log.

• A single parameter indicates the target job

• ‘*’ can be used to indicate use the current job as the target

Find the most recently executed command in a target job

SELECT MESSAGE_TEXT FROM

TABLE(QSYS2.JOBLOG_INFO('706721/SCOTTF/QPADEV0006'))

A

WHERE A.MESSAGE_TYPE = 'REQUEST'

ORDER BY ORDINAL_POSITION DESC

FETCH FIRST 1 ROW ONLY

QSYS2.JOBLOG_INFO – UDTF


56


• Work with Output Queue (WRKOUTQ) command lacks OUTFILE support

-- Return details about the output queues with the -- most filesWITH outqs_manyfiles ( libname, queuename )

AS (SELECT OUTPUT_QUEUE_LIBRARY_NAME, OUTPUT_QUEUE_NAMEFROM QSYS2.OUTPUT_QUEUE_INFOORDER BY NUMBER_OF_FILES DESCFETCH FIRST 5 ROWS ONLY)

SELECT libname, queuename, create_timestamp, spooled_file_name, user_name, total_pages, size

FROM outqs_manyfiles INNER JOIN QSYS2.OUTPUT_QUEUE_ENTRIES ON queuename=OUTPUT_QUEUE_NAME AND libname=OUTPUT_QUEUE_LIBRARY_NAME ORDER BY TOTAL_PAGES DESC

QSYS2.OUTPUT_QUEUE_INFO – View


57


• The Work with TCP/IP Network Status (NETSTAT) command

lacks OUTFILE support

• Combined information for NETSTAT command options 3 & 6

---- Review the 10 connections that are -- transferring the most data--SELECT * FROM QSYS2.NETSTAT_INFOORDER BY BYTES_SENT_REMOTELY + BYTES_RECEIVED_LOCALLY DESCFETCH FIRST 10 ROWS ONLY

QSYS2.NETSTAT_INFO – View


58


• Invoke this UDTF to reset statistics (baseline) to capture the elapsed

performance information

-- Establish a baseline for elapsed performance detailSELECT * FROM TABLE(QSYS2.SYSTEM_STATUS(RESTART_STATISTICS => ‘YES’)) X

---- Review the elapsed performance detail--SELECT HOST_NAME, ELAPSED_TIME, ELAPSED_CPU_USED,ELAPSED_CPU_SHARED, ELAPSED_CPU_UNCAPPED_CAPACITYFROM QSYS2.SYSTEM_STATUS_INFO

QSYS2.SYSTEM_STATUS – View and UDTF


59


Works within any language

<?php …

$stmt = db2_prepare($dbc, "call UpdatePersonnel(?,?,?)");

$starttime = date("Y-m-d-H.i.s.u");

$result = db2_execute($stmt, array(1,

‘[email protected]',

150000));

if(!$result) { // failure!

$result = db2_exec($dbc, "select * from table(qsys2.joblog_info('*')) x where x.message_timestamp > '$starttime'");

while($row = db2_fetch_assoc($result)) {

// save for later diagnostics, send email

// to admin, etc

}

}

?>




DB2 Security Enhancements


61


Catalogs

QSYS2/SYSCONTROLS

QSYS2/SYSCONTROLSDEP

Journal Entries

For journal code D - Database file:

M1, M2, M3 for create/drop/alter mask

P1, P2, P3 for create/drop/alter permission

For journal code T – Audit trail:

AX for Row and Column Access Control

X2 for Query manager profile changes

Operating System Option

IBM Advanced Data Security for i

(5770SS1 - Option 47)

No Charge

SQL Statements

CREATE PERMISSION

ALTER PERMISSION

CREATE MASK

ALTER MASK

ALTER TRIGGER

TRANSFER OWNERSHIPNew tools in the toolbox…

Built-in Function

VERIFY_GROUP_FOR_USER()

Function Usage ID

QIBM_DB_SECADM

DB2 for i – Security Enhancements in IBM i 7.2


62


1. Application-centric security

– Application layer provides

custom data protection &

tracking

2. Data-centric security

– Separation of duties

– Database enforced rules

3. Physical security

– Encryption hardware

Risk By Type of User

62

Technology Options for data security


63


DB2 for i Data Security options go well beyond the data model.

Open Database File (QIBM_QDB_OPEN) exit program is called when

a when a job is opening a database file. Use this interface to deploy

blocking and more.

Query Governor protects against over consumption of CPU or Storage

http://www-

01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/apis/xq

rygovr.htm

IBM i Function usage IDs provide a granular role based security

authorization (allow or deny) based upon users or groups.

https://www.ibm.com/developerworks/community/wikis/home?lang=es#!

/wiki/IBM%20i%20Technology%20Updates/page/DB2%20for%20i%20S

ecurity%20Enhancements

IBM i has exit programs for connection interfaces and commands.

The exit program can block or log or more.

DB2 for i – Blocking access

http://www-01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/apis/xqrygovr.htm

https://www.ibm.com/developerworks/community/wikis/home?lang=es#!/wiki/IBM%20i%20Technology%20Updates/page/DB2%20for%20i%20Security%20Enhancements


64


Separation of Duty


65


Before 7.2

In order to grant or revoke privileges, a user must have one of the following:

1. Object ownership

2. Object management (*OBJMGT) authority for the specified object

3. All object (*ALLOBJ) user special authority

Problem: If you can grant the SELECT privilege, you are also allowed to query the data

With IBM i 7.2 and 7.3

A user with security administration function usage (QIBM_DB_SECADM) will be able to grant or revoke privileges on any object to anyone, even if they do not have the SELECT privilege.

Note that:

• Audit the SECADM users for *SECURITY actions

• Only someone *SECADM authority can grant the security administrator function usage

Separation of duties


66


• MARYSEC – A Security Officer responsible for granting and revoking security, including data security

CRTUSRPRF USRPRF(MARYSEC) PASSWORD(xxxxxxxx) USRCLS(*SECADM) TEXT('Security Officer')

GRTOBJAUT OBJ(<data-libraries>) OBJTYPE(*LIB)USER(MARYSEC) AUT(*USE)

CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(MARYSEC) USAGE(*ALLOWED)

Note… no

*ALLOBJ user

special

authority

Separation of duty – example


67


• Use QIBM_DB_SECADM as a alternative authorization technique

• Other aspects of managing security don’t have this alternative authorization method for security officers

Commands:

CHGOBJOWN

CHGOBJPGP

GRTOBJAUT

RVKOBJAUT

EDTOBJAUT

DSPOBJAUT

WRKOBJ

WRKLIB

ADDAUTLE

CHGAUTLE

RMVAUTLE

RTVAUTLE

DSPAUTL

DSPAUTLOBJ

EDTAUTL

WRKAUTL

APIs: (also used by Navigator)qsyrtvua - retrieve users authorized to an objectqsylusra - list users authorized to an objectqsylatlo - list objects secured by an autlqsyrautu - retrieve users authorized to an objectqsylautu - list authorized usersqsyrusri - retrieve user informationquslobj - list objectsqgyolobj - open list of objects

MARYSEC can manage security

(and more) with just QIBM_DB_SECADM

Separation of duty – example


70


RCAC Basics


71


71

What is RCAC?

• Additional layer of data security

available with DB2

• Complementary to table

level security

• Subsetting access to only the

required data for a task

• Controls access to a table at the

row, column, or both

• Two sets of rules

– Permissions for rows

– Masks for columns

• IBM Advanced Data Security for i

– No-charge feature - Option 47

IBM Advanced Data Security for i

(Boss option 47)

No Charge


72


72

Row and Column Access ControlCREATE MASK SSN_MASK ON EMPLOYEE

FOR COLUMN SSN RETURNCASE

WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)THEN SSN

WHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)THEN 'XXX-XX-' CONCAT SUBSTR(SSN,8,4)

ELSE NULLEND

ENABLE;

ALTER TABLE EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;

CREATE PERMISSION NETHMO.ROW_ACCESS ON HOSPITAL.PATIENTFOR ROWS WHERE(VERIFY_GROUP_FOR_USER(SESSION_USER,'PATIENT') = 1 AND

HOSPITAL.PATIENT.USERID = SESSION_USER) OR(VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 ANDHOSPITAL.PATIENT.PCP_ID = SESSION_USER) OR

(VERIFY_GROUP_FOR_USER(SESSION_USER,'MEMBERSHIP') = 1 ORVERIFY_GROUP_FOR_USER(SESSION_USER,'ACCOUNTING') = 1 ORVERIFY_GROUP_FOR_USER(SESSION_USER,'DRUG_RESEARCH') = 1) ENFORCED FOR ALL ACCESS

ENABLE;

ALTER TABLE HOSPITAL.PATIENTACTIVATE ROW ACCESS CONTROL;

Column

Payroll – Entire number

Manager – xxxxxx1234

Else - NULL

View Row if Patient

View Row if Accounting

View Row if Drug_Research

http://www.redbooks.ibm.com/abstracts/redp5110.html?Open


73


Base Table The table (physical file) containing business critical data.

Dependent Object Any object (file, schema, function, or other object) the

permission or mask references.

Permission A row permission defines a row access control rule for

rows of a table by setting an SQL search condition that

describes the set of rows a user can access.

0 to many permissions allowed per table

Mask A column mask defines a column access control rule for a

specific column in a table by using an SQL CASE

expression that describes what column values a user is

permitted to see and under what conditions.

0 or 1 masks allowed per column

RULETEXT The expression to be used by the permission (WHERE

clause predicates) or mask (selection CASE expression)

RCAC Terminology


74


Data access authorization precedence rules


75


CREATE PERMISSION PATIENT_TABLE_HMO_PERMISSION

ON HOSPITAL.PATIENT_TABLE

FOR ROWS

WHERE((VERIFY_GROUP_FOR_USER(SESSION_USER,'PCP') = 1 AND

HOSPITAL.PATIENT_TABLE.PCP_ID = SESSION_USER) OR

VERIFY_GROUP_FOR_USER(SESSION_USER,'ACCTGROUP') = 1 OR

VERIFY_GROUP_FOR_USER(SESSION_USER,‘RESGROUP') = 1) ENFORCED FOR ALL ACCESS ENABLE;

ALTER TABLE HOSPITAL.PATIENT_TABLE ACTIVATE ROW ACCESS CONTROL;

• Logically, the table begins as an empty table, with permissions

providing access to specific rows

• 1n permissions are UNION’ed together

• No ordering considerations, but might have indexing implications

• Usually based upon identity, but can contain other rules

Row Permissions


76


CREATE MASK SSN_MASK ON EMPLOYEEFOR COLUMN SSN RETURNCASEWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'PAYROLL') = 1)

THEN SSNWHEN (VERIFY_GROUP_FOR_USER(SESSION_USER,'MGR') = 1)

THEN 'XXX-XX-' CONCAT RIGHT(SSN,4)ELSE NULLEND ENABLE;

ALTER TABLE EMPLOYEE ACTIVATE COLUMN ACCESS CONTROL;

• CASE statement evaluated in order until WHEN expression

evaluates to TRUE

• Applied when the column appears in the SELECT list

• Has no impact on selection (WHERE)

• Case logic is usually based upon identity, but can contain other rules

Column Masks


77


Column masking example:

CREATE OR REPLACE MASK SSN_MASK ON TOYSTORE2.EMPLOYEE FOR COLUMN SSN

RETURN CASEWHEN (QSYS2.JOB_NAME LIKE '%QZDAS%INIT')

THEN 'XXX-XX-' CONCAT RIGHT(SSN,4)

ELSE SSN END ENABLE;

ALTER TABLE TOYSTORE2.EMPLOYEEACTIVATE COLUMN ACCESS CONTROL;

SELECT LASTNAME, EMPNO, SSN FROM TOYSTORE2.EMPLOYEE ORDER BY 1;

Protect sensitive data

using Built-in Global

Variables

RCAC and Built-in Global Variables


81


• Function invocations are allowed within RCAC rules and provide the ability to

create more complex and modularized RCAC rule text logic

• The security officer must review and approve the function

• Use functions to easily change RULETEXT in production

• Functions must be created or altered to have the SECURED attribute.

• If a function is not secure, the permission or mask cannot be enabled

> ALTER PERMISSION employee_perm1 ENABLE

RCAC and Functions


82


ALTER TRIGGER

• Triggers over files with active RCAC must be identified as SECUREDALTER TRIGGER Employee_Insert_Trigger <SECURED | NOT SECURED>

• Alternative to CL command for enabling / disabling triggersALTER TRIGGER Employee_Insert_Trigger <ENABLE | DISABLE>

• Operations can be run under commitment control and rolled back

ALTER FUNCTION

• Data change operations with functions executed over files with

active RCAC must be identified as SECURED

ALTER FUNCTION Return_Name_Function <SECURED | NOT SECURED>

Only the QIBM_DB_SECADM user

can mark a trigger or function

as SECURED

Alter statement enhancements


83


RCAC – IBM i FAQ


84


How do I determine if RCAC is enabled for a file?

• DSPOBJAUT command (only appears if you have QIBM_DB_SECADM)

• Query new QSYS2/SYSCONTROLS catalog

• System i Navigator

Other considerations


85


• To understand whether RCAC is applied on SQL statements

1. SQL Performance Monitor (Database Monitor)

2. Visual Explain

SQL Performance Monitor analysis via Navigator

• Add the ‘Row and Column Access’ column to your dialog

Database Monitor

• Reference the QFC15 column where QQRID=1000

Queries


86


• "Access Control" is in the "Additional Information about

SQL" section. It will be set to Row, Column, Row and

Column, or None

• Row permissions are also noted in the attribute section of

predicates for those nodes that have a + sign that can be

expanded to show the predicates.

• Column masks show up by name only (not the whole mask

definition) in the statement text for a node

Visual Explain


87


• Create Duplicate Object (CRTDUPOBJ) &

Copy Library (CPYLIB) command

– Duplicate access control (ACCCTL) - new parameter for RCAC

– ACCCTL defaults to include all RCAC controls

– Command will fail if directed to copy data and to remove enabled RCAC

– When access control is duplicated, must abide by RCAC restrictions

• Copy File (CPYF) &

Copy To Import File (CPYTOIMPF) commands

– No duplicate access control parameter

– RCAC is applied prior to copying the file

– No warning or failure is indicated when RCAC is

applied on the copy.

– Beware, you could end up

with fewer rows and/or masked columns values

Copying files


88


Themes

• Easier and more powerful application development

• Better performance

• Leverage DB2 for more scenarios

• Secure your data


89


www.ibm.com/developerworks/ibmi/techupdates/db2

db2 for i updates - ibm.com€¢ program & package statement level statistical catalogs ... •...

Documents