Professional Documents
Culture Documents
Part 2 - Security:: Chapter 5: DB2 Security Model
Part 2 - Security:: Chapter 5: DB2 Security Model
Authorization:
-
Once the user is authenticated, DB2 will determine whether the user is allowed to
access particular object or not
2 types of permission
1. Primary Permission those granted to authorization ID
2. Secondary Permission those granted to group and roles in which
authorization ID is a member
3. Public Permission granted to PUBLIC
4. Context-sensitive permission granted to trusted context role
Authorization Categories
1. System Level authorization
a. System Administrator (SYSADM)
b. System Control (SYSCTRL)
c. System Maintenance (SYSMAINT)
d. System Monitor (SYSMON)
2. Database Level Authorization
a. Security Administrator (SECADM)
b. Database Administrator (DBADM)
c. Access Control (ACCESSCTRL)
d. Data Access (DATAACCESS)
e. SQL Administrator (SQLADM)
f. Workload Management Administrator (WLMADM)
g. Explain (EXPLAIN)
3. Object Level Authorization
4. Content Based Authorization
a. Label Based Access control (LBAC) determines which users have
read and write access to individual rows and individual columns
Authentication Types
1. SERVER
Authentication Occurs on SERVER through security mechanism User ID
Password
2. SERVER_ENCRYPT
Encrypted User ID and Password
Set the alternate_auth_enc
NOT_SPECIFIED AES 256 Bit encryption
AES_CMP if client propose DES but supports AES, the server
renegotiates for AES encryption
AES_ONLY server accepts only AES encryption, else connection
will be rejected
3. CLIENT
Invoked using operating system security not further check in server
Also called as single signon
If the remote instance has CLIENT authentication, two other parameters
determine the final authentication type: trust_allclnts and
trust_clntauth
Untrusted
nonDRDA
Client
Authenticatio
n (no user ID
& password)
CLIENT
Untrusted
nonDRDA
Client
Authenticatio
n (with user
ID &
password)
CLIENT
Trusted
nonDRDA
Client
Authenticatio
n (no user ID
& password)
CLIENT
Trusted
nonDRDA
Client
Authenticatio
n (with user
ID &
password)
CLIENT
DRDA Client
Authenticatio
n (no user ID
& password)
CLIENT
DRDA Client
Authenticatio
n (with user
ID &
password)
CLIENT
trust_
allclnts
YES
trust_
clntauth
CLIENT
YES
SERVER
CLIENT
SERVER
CLIENT
SERVER
CLIENT
SERVER
NO
CLIENT
SERVER
SERVER
CLIENT
CLIENT
CLIENT
CLIENT
NO
SERVER
SERVER
SERVER
CLIENT
SERVER
CLIENT
SERVER
DRDAONLY
CLIENT
SERVER
SERVER
SERVER
SERVER
CLIENT
CLIENT
DRDAONLY
SERVER
SERVER
SERVER
SERVER
SERVER
CLIENT
SERVER
4. DATA_ENCRYPT
Works same as SERVER_ENCRYPT, encrypts User ID and Password, along with
that Data also encrypted
Authentication
Sysadm_group
Trust_allclnts
Trust_clnauth
Sysctrl_group
Sysmaint_group
2. Privileges
-
Creating Database
-