· day 1 day 2 day 3 day 4 day 5 day 6 day 7 day 8 day 9 10 799
DB2UDB_the_Basics Day 3
-
Upload
pranav-prakash -
Category
Documents
-
view
45 -
download
0
Transcript of DB2UDB_the_Basics Day 3
IBM Software Group
© 2005 IBM Corporation
DB2 UDB Fundamentals
Day3
IBM Software Group
© 2005 IBM Corporation
Topics
Authentication Authorization Authorities of Roles MQT MDC
2
IBM Software Group
© 2005 IBM Corporation
DB2 Security Model
The DB2 security model consists of four major components: authentication, authorization , database object privileges and (row and column level security).
3
IBM Software Group
© 2005 IBM Corporation
Authentication
4
Authentication is the process of validating the supplied userid and password with a security policy.
IBM Software Group
© 2005 IBM Corporation
Configure the authentication type at DB2 server
db2 get dbm cfg | grep – i authentication db2 update dbm cfg using authentication SERVER It is the default authentication type of an instance . db2 update dbm cfg using authentication KERBEROS
5
IBM Software Group
© 2005 IBM Corporation
Possible values of Authentication Type on server
Authentication Type DescriptionSERVER Authenticates users at the DB2 server.
SERVER_ENCRYPT Authenticates users at the DB2 server. When the user ID and passwordare sent to the server, they are both encrypted.
Data_ENCRYPT Authenticates users at the DB2 server, userID, password and user data are all encrypted.
CLIENT Authenticates users at the DB2 client depending on the settings of two other configuration parameters: TRUST_CLNTAUTH andTRUST_ALLCLNTS.
6
IBM Software Group
© 2005 IBM Corporation
Configure the authentication type at DB2 Client
7
IBM Software Group
© 2005 IBM Corporation
When a client is configured to connect to a database, you need to catalog the node and the database.
The catalog database command has an option called AUTHENTICATION that allows you to indicate the authentication type to be used when connecting to the specified database.
db2 catalog db sample at node dbsrv authentication CLIENT
8
IBM Software Group
© 2005 IBM Corporation
If We want the authentication to be taken at client then we have to set the authentication parameter to client and then we need to consider two other dbm cfg parameters:
TRUST_ALLCLNTS == YES/N0 TRUST_CLNTAUTH == SERVER/CLIENT
9
IBM Software Group
© 2005 IBM Corporation
Administrative Authorities
10
IBM Software Group
© 2005 IBM Corporation
SYSADM
Users of this group having highest authority of levels and full privileges for managing the instances.
They also have access to all data in the underlying databases.
11
IBM Software Group
© 2005 IBM Corporation
SYSCTRL
These users have certain privileges in managing the instance,its databases, and database objects. They can create new databases,but do not have access to the data. For example, they cannot issue statements such as DELETE FROM employee or SELECT * FROM employee.
12
IBM Software Group
© 2005 IBM Corporation
SYSMAINT
Similar to SYSCTRL, SYSMAINT users have certain privileges in managing the instance, its databases, and databaseobjects. However, they cannot create new databases and do not have access to the data. For example, these users cannot
issue statements such as DELETE FROM employee or SELECT * FROM employees
13
IBM Software Group
© 2005 IBM Corporation
SYSMON
These users can turn snapshot monitor switches on, collect snapshot data, and access other database system monitor data.
No other task can be performed unless the required authority or privileges are granted to the same user by other means.
14
IBM Software Group
© 2005 IBM Corporation
DBADM
Database-level authority that allows users to perform administrative tasks on the specified database. Note that they also have full data access to the database.
15
IBM Software Group
© 2005 IBM Corporation
LOAD
These users can only run the load utility against the specified database. Before the user can load data into a table, he or she must also have the privilege to INSERT and/or DELETE on the target table.
16
IBM Software Group
© 2005 IBM Corporation
Connect
Grants users access the database. Without the CONNECT authority, a user cannot connect to the database even though he or she is successfully authenticated by the security facility.
17
IBM Software Group
© 2005 IBM Corporation
BINDADD
Allows users to create new packages in the database.
18
IBM Software Group
© 2005 IBM Corporation
CREATETAB
Allows users to create new tables in the database.
19
IBM Software Group
© 2005 IBM Corporation
CREATE_NOT_FENCED_ROUTINE
Allows users to create nonfenced routines such as userdefined functions and stored procedures. When a nonfenced routine is invoked, it executes in the database manager’s process rather than in its own address space.
20
IBM Software Group
© 2005 IBM Corporation
IMPLICIT_SCHEMA
Allows users to create a schema implicitly via database object creation. For example, if bob wants to create a table jeff.sales and the schema jeff does not already exist, bob needs to hold the IMPLICIT_SCHEMA authority for this database.
21
IBM Software Group
© 2005 IBM Corporation
CREATE_EXTERNAL_ROUTINE
Allows users to create routines written in external languages such as C, Java, and Pearl.
22
IBM Software Group
© 2005 IBM Corporation
Managing Administrative Authorities
It’s time to show you how to“give” a user or a group of users an authority.
SYSADM group name (SYSADM_GROUP) = SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = SYSMON group name (SYSMON_GROUP) =
update dbm cfg using sysadm_group admgrp sysmaint_group maintgrp
23
IBM Software Group
© 2005 IBM Corporation
GRANT and REVOKE statement
>>-GRANT----+-BINDADD-------------------+-+--ON DATABASE-------->
--TO----+-+-------+--User/Group
• >>-REVOKE----+-BINDADD-------------------+-+--ON DATABASE------->
>--FROM----+-+-------+--User/Group
24
IBM Software Group
© 2005 IBM Corporation
Examples
CONNECT TO sample; GRANT IMPLICIT_SCHEMA, CREATETAB ON DATABASE TO USER
john; GRANT LOAD ON DATABASE TO GROUP loadgrp, USER john; GRANT BINDADD ON DATABASE TO PUBLIC; GRANT SECADM ON DATABASE TO USER peter; REVOKE LOAD ON DATABASE FROM GROUP loadgrp;
25
IBM Software Group
© 2005 IBM Corporation
Database Object Priviliges (Schema)
There are three schema privileges:
• CREATEIN allows users to create objects within the schema.
• ALTERIN allows users to alter objects within the schema.
• DROPIN allows users to drop objects within the schema.
26
IBM Software Group
© 2005 IBM Corporation
Examples
>>-GRANT----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->
>--TO----+-+-------+--Group/User
>>-REVOKE----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->>--FROM----+-+-------+-- Group/User
27
IBM Software Group
© 2005 IBM Corporation
Table Space Privilege
In Tablespace , USE is only the privilege .
>>-GRANT--USE--OF TABLESPACE--tablespace-name--TO--------->
>----+-+-------+--User/Group
>>-REVOKE USE OF TABLESPACE--tablespace-name--FROM--------> >----+-+-------+--User/Group
GRANT USE OF TABLESPACE userspace1 TO USER db2admin; REVOKE USE OF TABLESPACE userspace1 FROM PUBLIC;
28
IBM Software Group
© 2005 IBM Corporation
Summary of Table and View Privileges
CONTROL Provides users with all privileges for a table or view as well as the ability to grant those privileges (except CONTROL) to others.
ALTER Allows users to alter a table or view. DELETE Allows users to delete records from a table or view. INDEX Allows users to create an index on a table. This privilege
does not apply to views. INSERT Allows users to insert an entry into a table or view.
29
IBM Software Group
© 2005 IBM Corporation
REFERENCES Allows users to create and drop a foreign key, specifying the table as the parent in a relationship.
SELECT Allows users to retrieve data from a table or view. UPDATE Allows users to update entries in a table or view. This
privilege can also limit users to update specific columns only. ALL PRIVILEGES Grants all the above privileges except CONTROL
on a table or view.
30
IBM Software Group
© 2005 IBM Corporation
Examples
GRANT ALL PRIVILEGES ON TABLE employee TO USER db2admin;
GRANT UPDATE ON TABLE employee (salary, comm) TO GROUP db2users;
REVOKE CONTROL ON TABLE employee FROM Groupname;
31
IBM Software Group
© 2005 IBM Corporation
Index Priviliges
Privileges for managing indexes is fairly straightforward: you can only drop an index after it is created. To change an index key, for example, you need to drop the index and recreate it.
The CONTROL privilege allows the grantee to drop the index.
GRANT CONTROL ON INDEX empind TO USER db2admin; REVOKE CONTROL ON INDEX empind FROM db2admin;
32
IBM Software Group
© 2005 IBM Corporation
Package Privileges
A package is a database object that contains the data access plan of how static SQL statements will be executed. A package needs to be bound to a database before its associated program can execute it. The following are the privileges you use to manage packages.
• BIND allows users to rebind an existing package. • EXECUTE allows users to execute a package. • CONTROL provides users the ability to rebind, drop, or execute a
package as well as the ability to grant the above privileges to other users and/or groups.
33
IBM Software Group
© 2005 IBM Corporation
Examples
GRANT EXECUTE, BIND ON PACKAGE emppack1 TO GROUP db2grp ;
REVOKE BIND ON PACKAGE emppack1 FROM USER db2dev;
34
IBM Software Group
© 2005 IBM Corporation
Case Study
A user with user ID user1 complains that he is not able to insert any rows into a table called MDANG.TABLE1.
DESCRIBE TABLE SYSCAT.TABAUTH
35
IBM Software Group
© 2005 IBM Corporation36
IBM Software Group
© 2005 IBM Corporation
SELECT * FROM SYSCAT.TABAUTH WHERE GRANTEE = 'USER1‘
37
IBM Software Group
© 2005 IBM Corporation38
IBM Software Group
© 2005 IBM Corporation
Thank You
39