DB2 Certification DB2 Certification Controlling Controlling Data Access Data Access DB2CERT.PRZ DB2
DB2 CertificationDB2 CertificationControlling Controlling Data AccessData Access
DB2CERT.PRZ
DB2
DB2CERT.PRZ
ObjectivesObjectives
After completing this unit, you should be able to:Describe the methods of AuthenticationDescribe the hierarchy of authorizations within DB2Explain privileges within a databaseDescribe how clients access a DB2 serverList DB2 supported protocolsPerform Remote administration
DB2CERT.PRZ
DB2
Controlling Data AccessControlling Data Access
Authentication,Authentication,Authorities &Authorities &Privileges Privileges
External Database SecurityExternal Database Security
DB2 data
Occurs outside the database managerIs performed at the operating system level
AUTHENTICATION
verifying that the user is really the person he/she claims to be
DB2CERT.PRZ
DB2CERT.PRZ
Authentication TypesAuthentication TypesAuthentication type determines WHERE the user is verified.Authentication=SERVER
User verification at serverPassword flows to serverDefault
Authentication=DCSUser verification at DRDA ASPassword flows to DRDA ASDCS same as SERVER when not using DDCS
Authentication=CLIENTDepends on the setting of the following parameters:
3 Levels of Authentication3 Levels of Authentication
AuthenticationClient
Authentication Server
Authentication DCS
Client Workstation
Server Workstation
HostMachine
DB2CERT.PRZ
DB2CERT.PRZ
Setting AuthenticationSetting AuthenticationONE Authentication Type per Instance
1. Default when creating first database is SERVER.2. Before creating first database, update dbm cfg
db2 UPDATE DBM CFG USING AUTHENTICATION [SERVER | CLIENT | DCS]
Conversation-Level SecurityConversation-Level SecurityCLIENT
System DB Dir.Authentication =
Client
Serveror
DCS
UserVerification
Userid flowpassword
flowUserid/password
Userid
password
DB2 SERVERInstance
Authentication =
Client(trusted clients)
Server
DCS
userverification
Client
Indicator
Useridpassword
Client(untrusted clients)
DB2CERT.PRZ
Database Internal SecurityDatabase Internal Security
DB2Data
Inside the database manager
ACCESS CONTROL
ability to create or access database objects
DB2CERT.PRZ
DB2 Access Control DB2 Access Control AuthorityAuthority
SYSADM
SYSCTRL
SYSMAINT
DBADMcannotsee data
Authorities
PRIVILEGES
Ownership (Control)
Individual
Implicit
DB2CERT.PRZ
Authorities in DBM ConfigurationAuthorities in DBM Configuration
Database Manager ConfigurationSYSADM group name (SYSADM_GROUP) = ADM1SYSCTRL group name (SYSCTRL_GROUP) = CTRL1SYSMAINT group name (SYSMAINT_GROUP) = MAINT1
db2 update dbm cfg using sysadm_group adm1db2 update dbm cfg using sysctrl_group ctrl1db2 update dbm cfg using sysmaint_group maint1
DB2CERT.PRZ
Database Authority SummaryDatabase Authority SummaryFunction SYSADM SYSCTRL SYSMAINT DBADM
Migrate database yesUpdate DBM CFG yesGrant/Revoke DBADM yesSpecify SYSCTRL group yesSpecify SYSMAINT group yesCatalog/Uncatalog DB directory yes yesCatalog/Uncatalog Node directory yes yesCatalog/Uncatalog DCS directory yes yesForce Users yes yesCreate/Drop Database yes yesRestore to New Database yes yesUpdate DB CFG yes yes yesBackup Database/Tablespace yes yes yesRestore/Roll Forward a database yes yes yesStart/Stop a database instance yes yes yesRunTrace yes yes yesTake snapshots yes yes yesQuery Tablespace state yes yes yes yesUpdate Log History files yes yes yes yesQuiesce Tablespace yes yes yes yesReorg Table yes yes yes yesRun Runstats Utility yes yes yes yesLoad Tables yes yesRead Log files yes yes yesCreate/Activate/Drop Event Monitors yes yes yes
DM CofC DB2CERT.PRZ
Authorities and PrivilegesAuthorities and Privileges
ALLALTERDELETEINDEXINSERTREFERENCESSELECTUPDATE
CONTROL(Tables)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
CREATETAB(Database)
SYSADM
DBADMAuthorities
Privileges
BINDADD(Database)
CONNECT(Database)
CONTROL(Indexes)
CONTROL(Packages)
BINDEXECUTE
CONTROL(Views)
ALLDELETEINSERTSELECTUPDATE
CREATE_NOT_FENCED(Database)
DB2CERT.PRZ
Resources: Privileges RequiredResources: Privileges RequiredRESOURCE
Database
Table (T) or
NEEDED TO CREATE
SYSADMSYSCTRL
CREATETAB (T)
OTHER PRIVILEGES
CONNECTBINDADDCREATETABNOFENCE
Package
Table (T) View (V)
Index
BINDADD
CREATETAB (T) CONTROL OR SELECT (V)
INDEX
BINDEXECUTE
SELECT (T/V)INSERT (T/V)DELETE (T/V)UPDATE (T/V)ALTER (T)INDEX (T)REFERENCES (T)
none
AliasUDTUDF
If schema differs from current authid, requiresCREATEIN
DB2CERT.PRZ
none
Privileges Required for Privileges Required for Development of DB2 ApplicationsDevelopment of DB2 ApplicationsAction Privileges Required
Precompile to bindfile CONNECT on databaseCreate a new package CONNECT on database
BINDADD on databasePrivileges need to execute each static SQL statement (explicit to user or to PUBLIC)
Modify an existing package CONNECT on databaseBIND on packagePrivileges need to execute each static SQL statement (explicit to user or to PUBLIC)
Recreate an existing package CONNECT on databaseBIND on package
Execute a package CONNECT on databaseEXECUTE on package
Drop a package CONNECT on databaseCONTROL on package or creator of package
DB2CERT.PRZ
DB2CERT.PRZ
Authority & Privilege ScenarioAuthority & Privilege Scenario
Volker - End user Greta - Application Gabriel - Calene - Wants to bewho executes a developer who Needs to able to create aprogram app1 will develop a load tables database to storeand use a table a program app1 personal informationto track personal addresses NEEDSEXECUTE on package BINDADD on database DBADM on the SYSADM for the instanceCONTROL on table access to req'd objects database Volker.personal
All users require CONNECT authority on the database
Group and User SupportGroup and User Support
GRANT SELECT ON TABLE EMPLOYEE TO CAL SQLCODE -569
SQL
1
2
Permitted on Does the System Know About?
N/AGroup - cal User - cal
GRANT SELECT ON TABLE EMPLOYEE TO CAL
GRANT SELECT ON TABLE EMPLOYEE TO USER CAL
GRANT SELECT ON TABLE EMPLOYEE TO CAL
GRANT SELECT ON TABLE EMPLOYEE TO GROUP CAL
- or -
- or -
1
2
3
3
X
OS/2or
Windows NTUNIX User - cal User - group
DB2CERT.PRZ
Static SQL Requires Explicit Static SQL Requires Explicit Privileges Privileges or PUBLIC privilegesor PUBLIC privileges
GROUP1melpattidoug
prog1.sqc
Mel attempts to bind Bind fails
no update
db2 connect to eddb
db2 grant update on table t1 to group1
db2 grant select on table t1 to public
db2 grant insert on table t1 to mel
db2 grant bindadd on database to group1
db2 connect to eddbdb2 bind prog1.bnd
...Update T1...Select C1 from T1...Insert into T1
DB2CERT.PRZ
DB2CERT.PRZ
Implicit PrivilegesImplicit PrivilegesCreate database
Internal GRANT of DBADM authority with CONNECT, CREATETAB, BINDADD, and CREATE_NOT_FENCED privileges to creator (SYSADM or SYSCTRL)Internal GRANT of BINDADD, CREATETAB, CONNECT and SELECT on system catalog tables to PUBLIC
BIND privilege on each successfully bound utility to PUBLIC
Grant DBADMInternal GRANT of BINDADD, CREATETAB, CONNECT and CREATE_NOT_FENCED
Create object (table, index, package)Internal GRANT of CONTROL to object creator
Create viewInternal GRANT to intersection of creator's privileges on base table(s) to view creator
DB2CERT.PRZ
Implicit Privileges ScenariosImplicit Privileges Scenarios
Scenario 1.ivo is placed in SYSADM group.ivo creates database DB1ivo is removed from SYSADM group.What privileges does ivo retain?
Scenario 2.db2 connect to eddbdb2 grant dbadm on database to user meldb2 revoke dbadm on database from user melWhat privileges does mel retain?
Query Who Has PrivilegesQuery Who Has Privileges
Most of the information on authorizations is maintained in four system catalog views:
SYSCAT.DBAUTH Database privileges
SYSCAT.INDEXAUTH Index privileges
SYSCAT.PACKAGEAUTH Package privileges
SYSCAT.TABAUTH Table and view privileges
DB2CERT.PRZ
DB2CERT.PRZ
DB2
Controlling Data AccessControlling Data Access
Client/Server Client/Server Connection Connection
DB2 Client/Server EnvironmentDB2 Client/Server Environment
Non-IBMRDBMS
SDKDatabase Client
APPC, NETBIOS, TCP/IP, NPIPE or IPX/SPX
DB2data
DB2 Server
UNIXor
Intel
DB2 Connect for HostConnectivity
S/390, S/370
DB2/MVS
DB2/VSE& VM
LocalClient
AS/400
DB2/400RDBMS
DRDADRDA
*MPTN
CAEDatabase Client
DB2Database Client
DB2CERT.PRZ
Remote Client FlowRemote Client FlowClient
ApplicationProgram
ClientEnabler
ProtocolSupportProduct
NETBIOSAPPC/APPN
IPX/SPXTCP/IPNPIPE
DB2 Server
DB2
Client
DRDA Gateway
DB2Connect
"DRDA
flow"
table
data
APPCorTCP/IP
MVS
VTAM
DDF
DB2
table
data
ApplicationProgram
ClientEnabler
ProtocolSupportProduct
NETBIOSAPPC/APPN
IPX/SPXTCP/IPNPIPE
ProtocolSupportProduct
ProtocolSupportProduct
DB2CERT.PRZ
APPCorTCP/IP
DB2 Client/Server DirectoryDB2 Client/Server DirectoryDB2 CLIENT
ADB
BDBC
D
LOCAL
ADB
SYSTEMDATABASE
ADB LocalBDB LocalREMDB Remote
NODE
REMDB
LOCAL
BDB
DB2 SERVER
REMDB
C
SYSTEMDATABASE
REMDB Local
LOCAL
REMDB
DB2 CONNECT TO . . . .
DB2CERT.PRZ
Client Connectivity TasksClient Connectivity Tasks
* When using File Server addressing only. Not required when uisng Direct addressing on all clients. ** Required only when client platform is different from server platform.*** Required only on Windows NT platform.
Task ProtocolAPPC TCP/IP NetBIOS IPX/SPX
Install correct level of products to support protocols used
Apply required maintenance to products
Update environment variables on server
Update environment variables on client (Optional)
Update Comm. profiles or properties on server
Update Comm. profiles or properties on client
Specify Local LU (optional)
Change NetBIOS interface config. on client/server (***)Update DBM CFG on server
Catalog Node Directory on client
Catalog Database Directory on client
Register DB2 server on NetWare File server (*)
Update hosts file on client
Set up client and server for DCE Directory services (optional)
Bind client utility packages on servers (**)
Update DBM CFG on client
Update services file on client
Update services file on server
DB2CERT.PRZ
Binding Utilities and CLP (client)Binding Utilities and CLP (client)The utilities have to be bound to each database only once for each OS/client version combination.DB2 utilities and the Command Line Processor (CLP) "MUST" be bound to each database.Binding a utility creates a package, which includes all the information needed to process against a database.The bind files are grouped together in different .lst files in the \SQLLIB\BND directory.
db2 bind @db2ubind.lst
DB2CERT.PRZ
DB2
Controlling Data AccessControlling Data Access
Remote Remote Administration Administration
DB2CERT.PRZ
Instance Attachment vs. Database ConnectionInstance Attachment vs. Database ConnectionINSTANCE ATTACHMENT
create/drop databasesget/update/reset database manager and database configuration filedatabase monitorbackup/restore/roll forward databaseforce application
DATABASE CONNECTIONDML, DDL, DCLprecompile/bind applicationsload/export/import
DB2CERT.PRZ
Explicit/Implicit Explicit/Implicit ATTACH/CONNECTATTACH/CONNECT
INSTANCE ATTACHMENTImplicit: DB2INSTANCE=Explicit: db2 ATTACH TO nodename [USER ... USING...]
DATABASE CONNECTIONImplicit: DB2DBDFT=Explicit: db2 CONNECT TO db-alias [USER ... USING...]
Remote Administration - Remote Administration - ATTACHATTACH
Workstation1
inst1
Nodeinst2inst3
SystemDatabase
. . . .
inst2
Node. . .
. . .
Workstation2
REM1
SystemDatabase
REM1 Indirect
LocalDatabase
REM1 Home
inst3
ATTACH TO nodename
SystemDatabase
SystemDatabase
DB2CERT.PRZ
ATTACH to Remote NodeATTACH to Remote Nodedb2 CATALOG TCPIP NODE inst3 REMOTE sys2 SERVER inst2
DB2INSTANCE= inst1db2 catalog local node inst2
db2 CATALOG DATABASE rem1 AS remdb1 AT NODE inst3
db2 CONNECT TO remdb1
user-definednodename hostname
points toWorkstation2's
IP address
servicenamepoints to
inst2's mainport numbers
Workstation2'sSystem DBalias-name
alias usedin CONNECT
nodenamein
nodedirectory
db2 ATTACH TO inst3
db2 RESTORE DATABASE REM1 ...db2 DETACH
DB2CERT.PRZ
DB2CERT.PRZ
Unit SummaryUnit SummaryHaving completed this unit, you should be able to:
Describe the methods of AuthenticationDescribe the hierarchy of authorizations within DB2Explain privileges within a databaseDescribe how clients access a DB2 serverList DB2 supported protocolsPerform Remote administration