db2udb_the_basics day 3
TRANSCRIPT
![Page 1: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/1.jpg)
IBM Software Group
© 2005 IBM Corporation
DB2 UDB Fundamentals
Day3
![Page 2: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/2.jpg)
IBM Software Group
© 2005 IBM Corporation
Topics
Authentication Authorization Authorities of Roles MQT MDC
2
![Page 3: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/3.jpg)
IBM Software Group
© 2005 IBM Corporation
DB2 Security Model
The DB2 security model consists of four major components: authentication, authorization , database object privileges and (row and column level security).
3
![Page 4: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/4.jpg)
IBM Software Group
© 2005 IBM Corporation
Authentication
4
Authentication is the process of validating the supplied userid and password with a security policy.
![Page 5: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/5.jpg)
IBM Software Group
© 2005 IBM Corporation
Configure the authentication type at DB2 server
db2 get dbm cfg | grep – i authentication db2 update dbm cfg using authentication SERVER It is the default authentication type of an instance . db2 update dbm cfg using authentication KERBEROS
5
![Page 6: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/6.jpg)
IBM Software Group
© 2005 IBM Corporation
Possible values of Authentication Type on server
Authentication Type DescriptionSERVER Authenticates users at the DB2 server.
SERVER_ENCRYPT Authenticates users at the DB2 server. When the user ID and passwordare sent to the server, they are both encrypted.
Data_ENCRYPT Authenticates users at the DB2 server, userID, password and user data are all encrypted.
CLIENT Authenticates users at the DB2 client depending on the settings of two other configuration parameters: TRUST_CLNTAUTH andTRUST_ALLCLNTS.
6
![Page 7: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/7.jpg)
IBM Software Group
© 2005 IBM Corporation
Configure the authentication type at DB2 Client
7
![Page 8: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/8.jpg)
IBM Software Group
© 2005 IBM Corporation
When a client is configured to connect to a database, you need to catalog the node and the database.
The catalog database command has an option called AUTHENTICATION that allows you to indicate the authentication type to be used when connecting to the specified database.
db2 catalog db sample at node dbsrv authentication CLIENT
8
![Page 9: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/9.jpg)
IBM Software Group
© 2005 IBM Corporation
If We want the authentication to be taken at client then we have to set the authentication parameter to client and then we need to consider two other dbm cfg parameters:
TRUST_ALLCLNTS == YES/N0 TRUST_CLNTAUTH == SERVER/CLIENT
9
![Page 10: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/10.jpg)
IBM Software Group
© 2005 IBM Corporation
Administrative Authorities
10
![Page 11: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/11.jpg)
IBM Software Group
© 2005 IBM Corporation
SYSADM
Users of this group having highest authority of levels and full privileges for managing the instances.
They also have access to all data in the underlying databases.
11
![Page 12: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/12.jpg)
IBM Software Group
© 2005 IBM Corporation
SYSCTRL
These users have certain privileges in managing the instance,its databases, and database objects. They can create new databases,but do not have access to the data. For example, they cannot issue statements such as DELETE FROM employee or SELECT * FROM employee.
12
![Page 13: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/13.jpg)
IBM Software Group
© 2005 IBM Corporation
SYSMAINT
Similar to SYSCTRL, SYSMAINT users have certain privileges in managing the instance, its databases, and databaseobjects. However, they cannot create new databases and do not have access to the data. For example, these users cannot
issue statements such as DELETE FROM employee or SELECT * FROM employees
13
![Page 14: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/14.jpg)
IBM Software Group
© 2005 IBM Corporation
SYSMON
These users can turn snapshot monitor switches on, collect snapshot data, and access other database system monitor data.
No other task can be performed unless the required authority or privileges are granted to the same user by other means.
14
![Page 15: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/15.jpg)
IBM Software Group
© 2005 IBM Corporation
DBADM
Database-level authority that allows users to perform administrative tasks on the specified database. Note that they also have full data access to the database.
15
![Page 16: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/16.jpg)
IBM Software Group
© 2005 IBM Corporation
LOAD
These users can only run the load utility against the specified database. Before the user can load data into a table, he or she must also have the privilege to INSERT and/or DELETE on the target table.
16
![Page 17: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/17.jpg)
IBM Software Group
© 2005 IBM Corporation
Connect
Grants users access the database. Without the CONNECT authority, a user cannot connect to the database even though he or she is successfully authenticated by the security facility.
17
![Page 18: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/18.jpg)
IBM Software Group
© 2005 IBM Corporation
BINDADD
Allows users to create new packages in the database.
18
![Page 19: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/19.jpg)
IBM Software Group
© 2005 IBM Corporation
CREATETAB
Allows users to create new tables in the database.
19
![Page 20: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/20.jpg)
IBM Software Group
© 2005 IBM Corporation
CREATE_NOT_FENCED_ROUTINE
Allows users to create nonfenced routines such as userdefined functions and stored procedures. When a nonfenced routine is invoked, it executes in the database manager’s process rather than in its own address space.
20
![Page 21: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/21.jpg)
IBM Software Group
© 2005 IBM Corporation
IMPLICIT_SCHEMA
Allows users to create a schema implicitly via database object creation. For example, if bob wants to create a table jeff.sales and the schema jeff does not already exist, bob needs to hold the IMPLICIT_SCHEMA authority for this database.
21
![Page 22: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/22.jpg)
IBM Software Group
© 2005 IBM Corporation
CREATE_EXTERNAL_ROUTINE
Allows users to create routines written in external languages such as C, Java, and Pearl.
22
![Page 23: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/23.jpg)
IBM Software Group
© 2005 IBM Corporation
Managing Administrative Authorities
It’s time to show you how to“give” a user or a group of users an authority.
SYSADM group name (SYSADM_GROUP) = SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = SYSMON group name (SYSMON_GROUP) =
update dbm cfg using sysadm_group admgrp sysmaint_group maintgrp
23
![Page 24: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/24.jpg)
IBM Software Group
© 2005 IBM Corporation
GRANT and REVOKE statement
>>-GRANT----+-BINDADD-------------------+-+--ON DATABASE-------->
--TO----+-+-------+--User/Group
• >>-REVOKE----+-BINDADD-------------------+-+--ON DATABASE------->
>--FROM----+-+-------+--User/Group
24
![Page 25: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/25.jpg)
IBM Software Group
© 2005 IBM Corporation
Examples
CONNECT TO sample; GRANT IMPLICIT_SCHEMA, CREATETAB ON DATABASE TO USER
john; GRANT LOAD ON DATABASE TO GROUP loadgrp, USER john; GRANT BINDADD ON DATABASE TO PUBLIC; GRANT SECADM ON DATABASE TO USER peter; REVOKE LOAD ON DATABASE FROM GROUP loadgrp;
25
![Page 26: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/26.jpg)
IBM Software Group
© 2005 IBM Corporation
Database Object Priviliges (Schema)
There are three schema privileges:
• CREATEIN allows users to create objects within the schema.
• ALTERIN allows users to alter objects within the schema.
• DROPIN allows users to drop objects within the schema.
26
![Page 27: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/27.jpg)
IBM Software Group
© 2005 IBM Corporation
Examples
>>-GRANT----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->
>--TO----+-+-------+--Group/User
>>-REVOKE----+-ALTERIN--+-+--ON SCHEMA--schema-name--------->>--FROM----+-+-------+-- Group/User
27
![Page 28: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/28.jpg)
IBM Software Group
© 2005 IBM Corporation
Table Space Privilege
In Tablespace , USE is only the privilege .
>>-GRANT--USE--OF TABLESPACE--tablespace-name--TO--------->
>----+-+-------+--User/Group
>>-REVOKE USE OF TABLESPACE--tablespace-name--FROM--------> >----+-+-------+--User/Group
GRANT USE OF TABLESPACE userspace1 TO USER db2admin; REVOKE USE OF TABLESPACE userspace1 FROM PUBLIC;
28
![Page 29: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/29.jpg)
IBM Software Group
© 2005 IBM Corporation
Summary of Table and View Privileges
CONTROL Provides users with all privileges for a table or view as well as the ability to grant those privileges (except CONTROL) to others.
ALTER Allows users to alter a table or view. DELETE Allows users to delete records from a table or view. INDEX Allows users to create an index on a table. This privilege
does not apply to views. INSERT Allows users to insert an entry into a table or view.
29
![Page 30: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/30.jpg)
IBM Software Group
© 2005 IBM Corporation
REFERENCES Allows users to create and drop a foreign key, specifying the table as the parent in a relationship.
SELECT Allows users to retrieve data from a table or view. UPDATE Allows users to update entries in a table or view. This
privilege can also limit users to update specific columns only. ALL PRIVILEGES Grants all the above privileges except CONTROL
on a table or view.
30
![Page 31: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/31.jpg)
IBM Software Group
© 2005 IBM Corporation
Examples
GRANT ALL PRIVILEGES ON TABLE employee TO USER db2admin;
GRANT UPDATE ON TABLE employee (salary, comm) TO GROUP db2users;
REVOKE CONTROL ON TABLE employee FROM Groupname;
31
![Page 32: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/32.jpg)
IBM Software Group
© 2005 IBM Corporation
Index Priviliges
Privileges for managing indexes is fairly straightforward: you can only drop an index after it is created. To change an index key, for example, you need to drop the index and recreate it.
The CONTROL privilege allows the grantee to drop the index.
GRANT CONTROL ON INDEX empind TO USER db2admin; REVOKE CONTROL ON INDEX empind FROM db2admin;
32
![Page 33: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/33.jpg)
IBM Software Group
© 2005 IBM Corporation
Package Privileges
A package is a database object that contains the data access plan of how static SQL statements will be executed. A package needs to be bound to a database before its associated program can execute it. The following are the privileges you use to manage packages.
• BIND allows users to rebind an existing package. • EXECUTE allows users to execute a package. • CONTROL provides users the ability to rebind, drop, or execute a
package as well as the ability to grant the above privileges to other users and/or groups.
33
![Page 34: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/34.jpg)
IBM Software Group
© 2005 IBM Corporation
Examples
GRANT EXECUTE, BIND ON PACKAGE emppack1 TO GROUP db2grp ;
REVOKE BIND ON PACKAGE emppack1 FROM USER db2dev;
34
![Page 35: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/35.jpg)
IBM Software Group
© 2005 IBM Corporation
Case Study
A user with user ID user1 complains that he is not able to insert any rows into a table called MDANG.TABLE1.
DESCRIBE TABLE SYSCAT.TABAUTH
35
![Page 36: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/36.jpg)
IBM Software Group
© 2005 IBM Corporation36
![Page 37: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/37.jpg)
IBM Software Group
© 2005 IBM Corporation
SELECT * FROM SYSCAT.TABAUTH WHERE GRANTEE = 'USER1‘
37
![Page 38: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/38.jpg)
IBM Software Group
© 2005 IBM Corporation38
![Page 39: DB2UDB_the_Basics Day 3](https://reader035.vdocuments.mx/reader035/viewer/2022062401/5886de921a28ab776a8b7555/html5/thumbnails/39.jpg)
IBM Software Group
© 2005 IBM Corporation
Thank You
39