DB2UDB_the_Basics Day 3

IBM Software Group

© 2005 IBM Corporation

DB2 UDB Fundamentals

Day3

IBM Software Group


Topics

Authentication Authorization Authorities of Roles MQT MDC

2

IBM Software Group


DB2 Security Model

The DB2 security model consists of four major components: authentication, authorization , database object privileges and (row and column level security).

3

IBM Software Group


Authentication

4

Authentication is the process of validating the supplied userid and password with a security policy.

IBM Software Group


Configure the authentication type at DB2 server

db2 get dbm cfg | grep – i authentication db2 update dbm cfg using authentication SERVER It is the default authentication type of an instance . db2 update dbm cfg using authentication KERBEROS

5

IBM Software Group


Possible values of Authentication Type on server

Authentication Type DescriptionSERVER Authenticates users at the DB2 server.

SERVER_ENCRYPT Authenticates users at the DB2 server. When the user ID and passwordare sent to the server, they are both encrypted.

Data_ENCRYPT Authenticates users at the DB2 server, userID, password and user data are all encrypted.

CLIENT Authenticates users at the DB2 client depending on the settings of two other configuration parameters: TRUST_CLNTAUTH andTRUST_ALLCLNTS.

6

IBM Software Group


Configure the authentication type at DB2 Client

7

IBM Software Group


When a client is configured to connect to a database, you need to catalog the node and the database.

The catalog database command has an option called AUTHENTICATION that allows you to indicate the authentication type to be used when connecting to the specified database.

db2 catalog db sample at node dbsrv authentication CLIENT

8

IBM Software Group


If We want the authentication to be taken at client then we have to set the authentication parameter to client and then we need to consider two other dbm cfg parameters:

TRUST_ALLCLNTS == YES/N0 TRUST_CLNTAUTH == SERVER/CLIENT

9

IBM Software Group


Administrative Authorities

10

IBM Software Group


SYSADM

Users of this group having highest authority of levels and full privileges for managing the instances.

They also have access to all data in the underlying databases.

11

IBM Software Group


SYSCTRL

These users have certain privileges in managing the instance,its databases, and database objects. They can create new databases,but do not have access to the data. For example, they cannot issue statements such as DELETE FROM employee or SELECT * FROM employee.

12

IBM Software Group


SYSMAINT

Similar to SYSCTRL, SYSMAINT users have certain privileges in managing the instance, its databases, and databaseobjects. However, they cannot create new databases and do not have access to the data. For example, these users cannot

issue statements such as DELETE FROM employee or SELECT * FROM employees

13

IBM Software Group


SYSMON

These users can turn snapshot monitor switches on, collect snapshot data, and access other database system monitor data.

No other task can be performed unless the required authority or privileges are granted to the same user by other means.

14

IBM Software Group


DBADM

Database-level authority that allows users to perform administrative tasks on the specified database. Note that they also have full data access to the database.

15

IBM Software Group


LOAD

These users can only run the load utility against the specified database. Before the user can load data into a table, he or she must also have the privilege to INSERT and/or DELETE on the target table.

16

IBM Software Group


Connect

Grants users access the database. Without the CONNECT authority, a user cannot connect to the database even though he or she is successfully authenticated by the security facility.

17

IBM Software Group


BINDADD

Allows users to create new packages in the database.

18

IBM Software Group


CREATETAB

Allows users to create new tables in the database.

19

IBM Software Group


CREATE_NOT_FENCED_ROUTINE

Allows users to create nonfenced routines such as userdefined functions and stored procedures. When a nonfenced routine is invoked, it executes in the database manager’s process rather than in its own address space.

20

IBM Software Group


IMPLICIT_SCHEMA

Allows users to create a schema implicitly via database object creation. For example, if bob wants to create a table jeff.sales and the schema jeff does not already exist, bob needs to hold the IMPLICIT_SCHEMA authority for this database.

21

IBM Software Group


CREATE_EXTERNAL_ROUTINE

Allows users to create routines written in external languages such as C, Java, and Pearl.

22

IBM Software Group


Managing Administrative Authorities

It’s time to show you how to“give” a user or a group of users an authority.

SYSADM group name (SYSADM_GROUP) = SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = SYSMON group name (SYSMON_GROUP) =

update dbm cfg using sysadm_group admgrp sysmaint_group maintgrp

23

IBM Software Group


GRANT and REVOKE statement

>>-GRANT----+-BINDADD-------------------+-+--ON DATABASE-------->

--TO----+-+-------+--User/Group

• >>-REVOKE----+-BINDADD-------------------+-+--ON DATABASE------->

>--FROM----+-+-------+--User/Group

24

IBM Software Group


Examples

CONNECT TO sample; GRANT IMPLICIT_SCHEMA, CREATETAB ON DATABASE TO USER

john; GRANT LOAD ON DATABASE TO GROUP loadgrp, USER john; GRANT BINDADD ON DATABASE TO PUBLIC; GRANT SECADM ON DATABASE TO USER peter; REVOKE LOAD ON DATABASE FROM GROUP loadgrp;

25

IBM Software Group


Database Object Priviliges (Schema)

There are three schema privileges:

• CREATEIN allows users to create objects within the schema.

• ALTERIN allows users to alter objects within the schema.

• DROPIN allows users to drop objects within the schema.

26

IBM Software Group


Examples

>>-GRANT----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->

>--TO----+-+-------+--Group/User

>>-REVOKE----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->>--FROM----+-+-------+-- Group/User

27

IBM Software Group


Table Space Privilege

In Tablespace , USE is only the privilege .

>>-GRANT--USE--OF TABLESPACE--tablespace-name--TO--------->

>----+-+-------+--User/Group

>>-REVOKE USE OF TABLESPACE--tablespace-name--FROM--------> >----+-+-------+--User/Group

GRANT USE OF TABLESPACE userspace1 TO USER db2admin; REVOKE USE OF TABLESPACE userspace1 FROM PUBLIC;

28

IBM Software Group


Summary of Table and View Privileges

CONTROL Provides users with all privileges for a table or view as well as the ability to grant those privileges (except CONTROL) to others.

ALTER Allows users to alter a table or view. DELETE Allows users to delete records from a table or view. INDEX Allows users to create an index on a table. This privilege

does not apply to views. INSERT Allows users to insert an entry into a table or view.

29

IBM Software Group


REFERENCES Allows users to create and drop a foreign key, specifying the table as the parent in a relationship.

SELECT Allows users to retrieve data from a table or view. UPDATE Allows users to update entries in a table or view. This

privilege can also limit users to update specific columns only. ALL PRIVILEGES Grants all the above privileges except CONTROL

on a table or view.

30

IBM Software Group


Examples

GRANT ALL PRIVILEGES ON TABLE employee TO USER db2admin;

GRANT UPDATE ON TABLE employee (salary, comm) TO GROUP db2users;

REVOKE CONTROL ON TABLE employee FROM Groupname;

31

IBM Software Group


Index Priviliges

Privileges for managing indexes is fairly straightforward: you can only drop an index after it is created. To change an index key, for example, you need to drop the index and recreate it.

The CONTROL privilege allows the grantee to drop the index.

GRANT CONTROL ON INDEX empind TO USER db2admin; REVOKE CONTROL ON INDEX empind FROM db2admin;

32

IBM Software Group


Package Privileges

A package is a database object that contains the data access plan of how static SQL statements will be executed. A package needs to be bound to a database before its associated program can execute it. The following are the privileges you use to manage packages.

• BIND allows users to rebind an existing package. • EXECUTE allows users to execute a package. • CONTROL provides users the ability to rebind, drop, or execute a

package as well as the ability to grant the above privileges to other users and/or groups.

33

IBM Software Group


Examples

GRANT EXECUTE, BIND ON PACKAGE emppack1 TO GROUP db2grp ;

REVOKE BIND ON PACKAGE emppack1 FROM USER db2dev;

34

IBM Software Group


Case Study

A user with user ID user1 complains that he is not able to insert any rows into a table called MDANG.TABLE1.

DESCRIBE TABLE SYSCAT.TABAUTH

35

IBM Software Group


SELECT * FROM SYSCAT.TABAUTH WHERE GRANTEE = 'USER1‘

37

IBM Software Group


Thank You

39

DB2UDB_the_Basics Day 3

Documents

Transcript of DB2UDB_the_Basics Day 3