By Gayathiri Chandran and Eric Radzinski
Temporal versioning is a feature of Db2 for z/OS that enables you to record historical information in Db2 catalog tables about activity that occurred in a Db2 subsystem. For example, you can use temporal versioning to record information in statistics-related catalog tables over a period of time, and then retrieve that data for a wide variety of uses, including performance analysis activities, troubleshooting, and predictive modeling.
Function level 505 extends temporal versioning support to the 17 Db2 catalog tables that record information about security-related aspects of your system, including authorization controls, management of trusted contexts, roles, audit policies, and row and column access controls. This new temporal support makes it possible for you to collect and record information about the authorization changes and security objects definition changes, as well as the user who made a security definition change. It allows you to produce point-in-time evidence that a particular user held administrative authority or that the appropriate authorities were in place for a particular table during the previous month. You can also produce point-in-time evidence about any audit changes or security objects, such as trusted context definition changes. These capabilities simplify the task of performing security audits and answering questions about any specific security event that occurred.
For example, prior to temporal versioning support for security-related catalog tables, a Db2 for z/OS security administrator would typically need to request a Db2 DBA to locate and restore the backup copy or copies that contain the point-in-time evidence needed for auditing purposes. This process can require a significant amount of time and effort for the DBA and can prolong the amount of time it takes to conclude the audit. With temporal versioning support enabled, the security administrator can simply query the catalog to obtain the required information and submit it to the auditor with a minimal amount of effort and without impacting a DBA’s workload.
The security-related catalog history tables are protected from unintended modification of the historical information by disallowing INSERT, UPDATE, and DELETE operations on the history tables. The Db2 security administrator can execute REORG TABLESPACE utility with the DISCARD option to manage the history tables. Enabling temporal on security-related catalog tables is optional and entirely selective. The Db2 security administrator can enable temporal versioning on only the specific security-related catalog table or tables that are relevant to their organization’s auditing requirements.
For more information and a complete list of the security-related catalog tables that can be enabled for temporal versioning, see Temporal versioning for Db2 security-related catalog tables.
#Db2forz/OS