Improved Access Controls around IMS data

As we look at the idea of accessing IMS data via SQL through ODBM, we see some rather glaring Security issues that could expose us to, that would be addressed using a similar concept to what DB2 is doing with Roles & Trusted Context and AUTH tables. Access today in IMS is primarily restricted by PSB, which works fine with traditional access methods using DL/I calls through COBOL or PL/1 programs. With the concept of accessing IMS data through ODBM, through a GUI tool similar to what you would think of to be like Data Studio that can provide the ability to perform ad-hoc queries and updates, that model has some limitations.

With a tool like this, we would likely have a single PSB that would have all segments of a database or several databases for a given application, so at that point everyone using the tool would have access to everything in the database. To get more granular you'd have to create PSB after PSB with different segments and have the application be smart enough to know what PSB to use for what user, which would be a maintenance nightmare when you are talking about potentially hundreds of users across many areas.

With DB2 we can restrict individual people to what specific tables they should have access to, we would like the same capability in IMS at a segment level, not having to create a unique PSB for each person. Doing a GRANT is DB2 can be performed in seconds, getting a PSB changed is typically weeks.

Additionally, we would like the concept of a Trusted Context, so that when access it granted we can say that it can only be used through that Context, which is typically going to be the IP Address of the app servers that our tool is running on. That will prohibit those individuals from using the access via other tools that don't have the same controls and audit trails.