Part 2 Security:

Chapter 5: DB2 Security Model

2 Types of Security control access
1. Authentication Outside DB2 Database System
2. Authorization Inside Database Manager
Authentication:
-

System verifies user identity

Completed by security facility outside DB2 database - using authentication plug in
module
DB2 ships with Kerberos and LDAP (lightweight directory access protocol) plug in
modules
We can build our own authentication plug in module

Authorization:
-

Once the user is authenticated, DB2 will determine whether the user is allowed to
access particular object or not
2 types of permission
1. Primary Permission those granted to authorization ID
2. Secondary Permission those granted to group and roles in which
authorization ID is a member
3. Public Permission granted to PUBLIC
4. Context-sensitive permission granted to trusted context role
Authorization Categories
1. System Level authorization
a. System Administrator (SYSADM)
b. System Control (SYSCTRL)
c. System Maintenance (SYSMAINT)
d. System Monitor (SYSMON)
2. Database Level Authorization
a. Security Administrator (SECADM)
b. Database Administrator (DBADM)
c. Access Control (ACCESSCTRL)
d. Data Access (DATAACCESS)
e. SQL Administrator (SQLADM)
f. Workload Management Administrator (WLMADM)
g. Explain (EXPLAIN)
3. Object Level Authorization
4. Content Based Authorization
a. Label Based Access control (LBAC) determines which users have
read and write access to individual rows and individual columns

Chapter 6: Authentication Methods of your Server

-

Authentication Types
1. SERVER
Authentication Occurs on SERVER through security mechanism User ID
Password
2. SERVER_ENCRYPT
Encrypted User ID and Password
Set the alternate_auth_enc
NOT_SPECIFIED AES 256 Bit encryption
AES_CMP if client propose DES but supports AES, the server
renegotiates for AES encryption
AES_ONLY server accepts only AES encryption, else connection
will be rejected
3. CLIENT
Invoked using operating system security not further check in server
Also called as single signon
If the remote instance has CLIENT authentication, two other parameters
determine the final authentication type: trust_allclnts and
trust_clntauth

Untrusted
nonDRDA
Client
Authenticatio
n (no user ID
& password)
CLIENT

Untrusted
nonDRDA
Client
Authenticatio
n (with user
ID &
password)
CLIENT

Trusted
nonDRDA
Client
Authenticatio
n (no user ID
& password)
CLIENT

Trusted
nonDRDA
Client
Authenticatio
n (with user
ID &
password)
CLIENT

DRDA Client
Authenticatio
n (no user ID
& password)
CLIENT

DRDA Client
Authenticatio
n (with user
ID &
password)
CLIENT

trust_
allclnts
YES

trust_
clntauth
CLIENT

YES

SERVER

CLIENT

SERVER

CLIENT

SERVER

CLIENT

SERVER

NO

CLIENT

SERVER

SERVER

CLIENT

CLIENT

CLIENT

CLIENT

NO

SERVER

SERVER

SERVER

CLIENT

SERVER

CLIENT

SERVER

DRDAONLY

CLIENT

SERVER

SERVER

SERVER

SERVER

CLIENT

CLIENT

DRDAONLY

SERVER

SERVER

SERVER

SERVER

SERVER

CLIENT

SERVER

4. DATA_ENCRYPT
Works same as SERVER_ENCRYPT, encrypts User ID and Password, along with
that Data also encrypted

SQL and XQuery statements

SQL Program variable data

 Output Data from the server

Resulting set of query
Large Object (LOB) data streaming
SQLDA descriptors
5. DATA_ENCRYPT_CMP
Encrypt credentials + Data, if Data is not supported, switch to
SERVER_ENCRYPT
Not valid when used on CATALOG DATABSE COMMAND
6. KERBEROS
Used when both client and server support
Performs as a third party authentication service
How it works

User Logging to Domain Account -> Kerberos Key Distribution

Center (KDC) -> issues ticket-granting-ticket (TGT) to client
Server Sends target name target name + TGT client request
TGS. If both target name + TGT are valid, the TGS will be issued.
7. KRB_SERVER_ENCRYPT
If client is KERBEROS , use KERBEROS authentication
If client is SERVER_ENCRYPT, use SERVER_ENCRYPT
If nothing specified, use KERBEROS if available else use
SERVER_ENCRYPT
8. GSSPLUGIN
If client authentication is not specified, it will list all server supported
authentication plugin in srvcon_gssplugin_list
It will pick first supported one. If nothing is supported, use KERBEROS
authentication type
9. GSS_SERVER_ENCRYPT
Same as GSSPLUGIN. Use SERVER_ENCRYPT if KERBEROS is not
supported
Use alternate_auth_enc to encrypt user ID and password
The Following database manager configuration file parameters control access to the instance
1.
2.
3.
4.
5.
6.

Authentication
Sysadm_group
Trust_allclnts
Trust_clnauth
Sysctrl_group
Sysmaint_group

Chapter 7: Authorization, Privileges and Object ownership

3 Forms of Authorization
1. Administrative Authority
2. Privileges and
3. LBAC credentials
1. Administrative Authority
System-Level Authorization
1. SYSADM -> sysctrl, sysmaint, sysmon
2. SYSCTRL- cannot access table data -> sysmon
3. SYSMAINT cannot access table data -> sysmon
4. SYSMON
Database Level Authorization
1. DBADM
Can be given by SECADM
2. SECADM
Can give to ACCESSCTRL, DATAACCESS, DBADM, SECADM
3. SQLADM
Can be given by ACCESSCTRL or SECADM
4. WLMADM
Can be given by ACCESSCTRL or SECADM
5. EXPLAIN
Can be given by ACCESSCTRL or SECADM
6. ACCESSCTRL
Can be given by SECADM
7. DATAACCESS

2. Privileges
-

SECADM/ACCESSCTRL can grant CONTROL privileges

CONTROL cannot be revoked from object owner, but can be changed using
TRANSFER OWNERSHIP

Chapter 8: Default privileges granted on creating a Database

Creating Database
-

The following privileges are automatically created to PUBLIC

CREATETAB, BINDADD, CONNECT, IMPLICIT_SCHEMA and SELECT
If restrictive give, no privileges will be given automatically to PUBLIC