Lab 4 – Controlling Data Access
(refers to chapter 8)
Objectives
In these exercises, we will:
− Create another DB2 instance
− Investigate authorities and privileges
− Show how privileges can be given to packages in programs,
protecting database objects from access by any other means
− Grant privileges implicitly
− Consult the DB2 Command Reference
Part A – Creating Multiple DB2 Instances
1. Make sure that you are logged on as a user with administrative privilege, for
example as student. From the operating system, create a new group called
grpdb2a and a user called db2a with password db2a. Make db2a part of the
grpdb2a group, and make this user a local administrator. Add db2a to the
Local Administrators group.
2. Open a DB2 Command Window.
Create another instance on your system called db2a. Command to use: db2icrt.
Refer to the DB2 Command Reference for command usage.
A new directory db2a should be created under DB2PATH (e.g. c:\Program
Files\IBM\sqllib). It contains some basic control information of the instance.
Db2icrt db2a
3. Once the instance is created, close all programs and logon as db2a. Make sure
you log on as db2a, otherwise Part B of the exercise will not work!
4. Open a DB2 Command Window. What is the current default instance? Change
default instance to db2a.
Db2 -> Get instance
Quit -> set db2instance=db2a
5. Set the SYSADM group for the db2a instance to grpdb2a.
(Hint: issue ‘db2 ? update dbm cfg’ to get command syntax)
db2 -> update database manager configuration using sysadm_group grpdb2a
6. Since the db2a instance is enabled by default to accept requests via TCPIP, the
database manager parameter svcename needs to be updated with a port number.
Use the command db2 update dbm cfg using svcename 50002. 50002 have to
be a port number that hasn’t be assigned for other services. Have a look in
%Systemroot%/system32/drivers/etc/services.
7. Any changes made to the database manager configuration require recycling the
instance before changes can take in effect. Start db2a instance.
Db2 -> Start database manager
8. Confirm that the current instance of the session is db2a.
Db2 -> Get instance
9. Let’s create a SAMPLE database in the db2a instance. Use the same
executable as in Lab 2 - Getting Started, db2sampl. Although there are two
SAMPLE databases in one DB2 server, DB2 allows this as long as they reside
in two different instances.
Quit -> db2sampl
Get dbm config
Part B – Authorities and Privileges
1. The files needed for this exercise are in the db2exer\chap4\partb directory.
Make sure that you are logged on as a user with administrative privilege, for
example, as student or db2a. Create a new group called dbgrp and a user called
Cathy with a password Cathy. Make Cathy part of the dbgrp group, but do
NOT give Cathy administrative privilege.
Connect to the SAMPLE database in the db2a instance as Cathy. Remember to
provide Cathy’s user id and password. You should still be connected to the
db2a instance.
Connect to db2sampl user cathy using cathy
2. Determine the current database authorizations that all users (i.e. PUBLIC)
posses against the SAMPLE database.
(Hint: Use one of the authorizations to catalog tables)
get authorizations ( shows authority of current user )
select * from syscat.dbauth
3. Does Cathy has the privilege to create tables in the SAMPLE database?
(Hint: If the return doesn’t fit the window well, try selecting only a few
columns).
CREATETAB authority = yes
4. Create the following table with user id Cathy.
db2 create table mytab (part1 integer, part2 integer)
5. A member of SYSADM or DBADM groups (as defined in DB2) can revoke
the CREATETAB privilege from PUBLIC. This needs to be done explicitly. In
order to begin securing the environment, revoke the CREATETAB privilege
from PUBLIC.
Login as db2a as it is a member of grpdb2a, which is the DB2 SYSADM group
that we set earlier. Then, revoke CREATETAB from PUBLIC. Use the DB2
SQL Reference Guide for commands.
Revoke createtab on database from public
6. What privilege does Cathy have for her newly created table? Use one of the
authorization system catalog tables to find out.
select * from syscat.tabauth
7. Now we will demonstrate how you can give users permission to execute SQL
contained in packages without giving them any privileges on the tables
themselves. Look at the contents of the two programs in the
db2exer\chap4\partb directory: constat.sqc and condyn.sqc. They are quite
similar because they both connect to the SAMPLE database and select rows
from the STAFF table. The difference is that constat uses only static embedded
SQL, while condyn uses dynamic embedded SQL.
Connect to SAMPLE as db2a and BIND these programs to the database.
8. Execute constat and enter Cathy as the user when prompted. Is it successful?
9. Determine who has privilege to execute the CONSTAT package.
10. Grant EXECUTE privilege to Cathy.
11. Run the constat program again. Enter Cathy as the user when prompted. Is it
successful?
12. Now, execute the condyn program and enter Cathy as the user when prompted.
Once again, you will see that Cathy does not have EXECUTE privilege, this
time on the CONDYN package. Give this privilege to Cathy.
13. Run the condyn program again. Enter Cathy as the user when prompted. This
program should gives you the same result as the constat program. Do you get
any result? Why or why not?
Check what privilege Cathy has on the STAFF table.
14. Grant SELECT privilege to Cathy and execute the condyn program again.
15. Suppose you want Cathy to be able to do terminate users in the db2a instance.
At a minimum, which DB2 defined group would you place Cathy in? Cathy is
defined in the dbgrp group of the operating system. Put Cathy into the proper
group.
16. To activate the database manager configuration changes, stop and start the
db2a instance.
17. Catalog the db2 instance as a local node in the db2a instance.
(Hint: Use db2 catalog local node command)
18. Can Cathy terminate database connections in the db2 instance as well?