Administration Guide

Database Security and Tuning

GROUP Authorizations

Change

In DB2 Version 1, there was no way to indicate whether a privilege being granted was applicable to a user or to a group. In Version 2, a new field, called GRANTEETYPE, has been added to SYSCAT.DBAUTH, SYSCAT.INDEXAUTH, SYSCAT.PLANAUTH and SYSCAT.TABAUTH. GRANTEETYPE is either a 'U' to represent the GRANTEE is a user or 'G' to represent that the GRANTEE is a group.

During database migration, an attempt is made to determine whether existing privileges defined in the SYSIBM tables are for a user or a group. If the current privileges are for both a user and a group, only the user portion will be represented in the Version 2 database.

Symptom

Loss of authorization if you are a member of a group which is also defined in the operating system as a user.

Resolution

If this access is meant for groups (that is, where the environment variable DB2GROUPS=ON was used in Version 1), then execute the appropriate GRANT command for the appropriate access to the group.

Authentication Type

Change

In Version 1, you could provide an authentication type on the CREATE DATABASE command. Beginning in Version 2, this option is ignored. All databases now have the same authentication type as the instance.

Symptom

If the DB2 Version 5 instance authentication type is different than the Version 1 database authentication type, then authentication will behave differently after migration.

Resolution

Make sure that the instance authentication type is the type you want for the databases within that instance.

SYSADM Groups

Change

The SYSADM group must be explicitly set in the database manager configuration file.

Symptom

This is automatically taken care of during migration, but a problem could arise if you use a script or command file to change SYSADM groups.

Resolution

Update the script or command file to include the required changes in the database manager configuration file.

Security Enhancements

Change

Several security enhancements have been made to the product to make Version 2 and following versions more secure than Version 1. A few of the changes are listed here, however, this is not a complete list.

• Authorization is no longer automatically inferred from file permissions (AIX).

• A general user can execute any DB2 executable, but will not be able to perform the function of that executable unless they have the correct authority. Examples include: db2start and db2trc. See the Command Reference for information on db2start and the Troubleshooting Guide for information on db2trc.

• Authorization for some commands, such as MIGRATE DATABASE, have changed. You should refer to the Command Reference and the API Reference for the authorization requirements for an individual command or API.

Symptom

You may not be able to execute a DB2 command or API that you used to be able to execute. You will receive a "not authorized" type of SQLCODE.

Resolution

Acquire the proper authorization for the task to be performed.

[ DB2 List of Books | Search the DB2 Books ]