Guanjun Cai, Information Architect, IBM Db2 for z/OS and AI Optimizer for Z
Jie Ling, SQL DI Developer, IBM Db2 for z/OS

As the system of record where the world's most mission-critical data resides, Db2 for z/OS has always prioritized security in its development and strategy. As it evolves to be an AI-powered data management solution for the cognitive era of the connected world, we continue to simplify user access management while keeping the system and its applications secure. The latest updates in SQL Data Insights (SQL DI), an AI feature in the Db2 engine, epitomize our continuous commitment to system security and data protection.

Simplified user authorization with Db2 secondary authorization IDs

Prior to this update, granting permissions to SQL DI users for object and model management requires a Db2 administrator to run a sample JCL job to authorize a user’s primary authorization ID and repeat the job for each individual user. This process is laborious and time-consuming. With this update, the administrator can simply grant the same permissions to a Db2 secondary authorization ID. As a user associated with the secondary authorization ID, you can specify the ID in SQL DI when enabling an object for AI query. This secondary authorization ID now owns the model table and index from the enablement, and all other users associated with the ID are automatically authorized to manage the object and model. When a user no longer requires the access, the administrator can disassociate the user from the secondary authorization ID. It is that quick and simple.

Strengthened user authentication with RACF PassTickets and token files

As an authorized SQL DI user, you must authenticate yourself whenever you sign in to SQL DI or when you connect from SQL DI to Db2. Before this update, your username and password are stored in an encrypted file. For every SQL DI login or Db2 connection request through the shell CLI, you authenticate yourself by sending in the credentials in the encrypted file over the network, increasing the risk of compromising them. This update introduces two alternative and more secure authentication methods:

• The option of using RACF PassTickets for authenticating Db2 connections through the REST API and the shell CLI.
• The option of using Bearer tokens for authenticating SQL DI connections through the shell CLI.

Both alternative authentication methods eliminate the need for you to store and transmit passwords over the network, reducing the risk of disclosing your credentials.

The latest SQL DI updates represent another step of Db2 towards its goal of making authorization and authentication easier and more secure so that you can focus on harnessing the power of the AI feature and unlocking the full potential of your Db2 data. Visit Running AI queries with SQL Data Insights to learn more about SQL DI.

A special thank-you to Tim Hogan, Content Developer and Team Lead for IBM Db2 AI for z/OS, for his contributions.