IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace IMS Database Manager
Categories General DB
Created by Guest
Created on Feb 26, 2020

RELATED IDEAS

Request to improve the RCAC masking rule behaviour in DB2 UDB

Hi,

We are working with Romeo Lupascu <romeol@ca.ibm.com> from IBM on this, please sync with him asap as we are looking for immediate fix to this limitation as this is impacting many client processes.

Per client:-
A more expected behavior is to have the masked value to be inserted into the session table rather than failing with an error.
If this sql is running by an app, the app code such as java/python can select the data into a file or memory and then insert back into a session table. Doing it inside a stored procedure directly by using ‘insert into select from' to be more efficient should be behave the same.

==

RCAC masking :-

The select works but if we try to do insert in session table from the masked column table then it gives an error.

CREATE MASK SCHEMA.TABNAME_TNL_ID ON SCHEMA.TABNAME T FOR COLUMN TNL_ID RETURN CASE WHEN ( (VERIFY_ROLE_FOR_USER(SESSION_USER, 'SCHEMA_WRITER') = 1 ) OR (VERIFY_ ROLE_FOR_USER(SESSION_USER, 'ROLEAAA_XXXSCHEMA') = 1 )OR (VERIFY_ROLE_FOR_USER (SESSION_USER,'ROLEREADCONFIDENTIAL_XXXSCHEMA') = 1 ) ) THEN TNL_ID WHEN ( ( VERIFY_ROLE_FOR_USER (SESSION_USER,'SCHEMA_READ_ALL_CLIENTS') = 1 ) OR ( ( ( VERIFY_ROLE_FOR_USER (SESSION_USER,'SCHEMA_READ_UNRESTRI CTED_CLIENTS_ONLY') = 1) OR ( VERIFY_ROLE_FOR_USER (SESSION_USER,'ROLEREAD_XXXSCHEMA') = 1 ) ) AND ( COALESCE(TNL_ID,'') NOT IN (8' )) ) ) THEN TNL_ID ELSE ‘MSCLIENT' END enable

When we run the below :
db2 "declare global temporary table session.TABNAME (tnl_id varchar(20)) with replace on commit preserve rows not logged"
db2 "insert into session.TABNAME select tnl_id from SCHEMA.v_TABNAME limit 10"

We get the below error :
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL20478N The statement failed because the column mask "SCHEMA.TABNAME_TNL_ID"
defined for column "SCHEMA.TABNAME.TNL_ID" exists and the column mask cannot be
applied or the column mask conflicts with the failed statement. Reason code
"30" SQLSTATE=428HD

Explanation of the above error :
30

An INSERT or UPDATE operation uses a masked value returned from
the column mask "<mask-name>" for "<column-name>". The
expression specified in the THEN or ELSE clause of the column
mask definition that is used to return the masked value is not
a simple reference to the column "<column-name>". For the
specified INSERT or UPDATE operation, the return expression in
the column mask definition must be a simple reference to the
column for which the mask is defined.

The statement cannot be processed.

User response:

* Remove the reference to the column in the INSERT or UPDATE operation
and retry the operation.
* Contact the Security Administrator to have the return expression in
the column mask definition modified.

sqlcode: -20478


Note : A simple select works fine. If we replace ‘MSCLIENT' with TNL_ID (ie there is no manipulation) then insert also works fine .

Idea priority Urgent
  • Guest
    Reply
    |     Apr 6, 2020

    It appears the RFE was inadvertently opened against the wrong product. Please work with Romeo if new RFE did not get reassigned to the correct product.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.