Matakuliah
Tahun
: T0413
: 2009
Security
Pertemuan 7
Security Overview
DB2 uses a combination of:
ƒ External security service
ƒ Internal access control information
Mytable
Authentication
ƒ Identify the user
Authorization
–Check entered user name and password
ƒDone by security facility outside
of DB2 (Part of the OS, DCE,
SELECT * FROM mytable
and so forth)
Authorization
ƒ Check if authenticated user may perform
requested operation
ƒ Done by DB2 facilities
Does Bob have
an authorization
to perform
SELECT to
MYTABLE?
Authentication
CONNECT TO sample
USER bob using pwd
Is this right
password for
Bob?
–Information stored in DB2 catalog, DBM
configuration file
Bina Nusantara University
3
Authentication
When client and server are different machines, where is userid/password is
checked?
DBM CFG Parameter (at the DB2 server):
AUTHENTICATION = SERVER (default)
Valid values:
SERVER (default)
CLIENT – authorization takes place on the client
SERVER_ENCRYPT – Like SERVER except user IDs and passwords are encrypted
KERBEROS – Authentication takes place using a Kerberos security mechanism
SQL_AUTHENTICATION_DATAENC – Server authentication plus connections must use
data encryption
ƒ SQL_AUTHENTICATION_DATAENC_CMP – Like above, except data encryption only
used when available
ƒ GSSPLUGIN – Authentication uses an external GSS API-based plug-in security
mechanism
ƒ
ƒ
ƒ
ƒ
ƒ
Bina Nusantara University
4
Authentication (cont’d)
DB2
Server
Client
user1/pwd1
exists here
connect ... using user1/pwd1
AUTHENTICATION=SERVER
user1/pwd1
exists here
DB2
Server
Client
connect
AUTHENTICATION=CLIENT
Bina Nusantara University
5
AUTHORIZATION
Bina Nusantara University
6
Other Authority Levels
Function
Update DBM CFG
Grant/Revoke DBADM
Establish/Change SYSCTRL
Establish/Change SYSMAINT
Establish/Change SYSMON
Force users off database
Create/Drop database
Restore to new database
Update DB CFG
Backup database/table space
Restore to existing database
Perform roll-forward recovery
Start/Stop instance
Restore table space
Run trace
Obtain monitor snapshots
Query table space state
Prune log history files
Quiesce table space
LOAD tables
Set/Unset check-pending status
Bina Nusantara University
Create/Drop
event monitors
SYSADM SYSCTRL SYSMAINT
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
SYSMON
DBADM
LOAD
YES
YES
YES
YES
YES
YES
YES
7
SYS Authorities
Users of a DB2 database are controlled by native OS
authentication services.
ƒ Free database/sysadmin/users from having to deal with multiple
logins/password.
SYSADM, SYSCTRL & SYSMAINT are defined by OS groups in
DBM CFG
–update dbm cfg using SYSADM_GROUP <group>
–update dbm cfg using SYSCTRL_GROUP <group>
–update dbm cfg using SYSMAINT_GROUP <group>
Each instance has its own authority group definitions
On Windows, parameters are not set by default, implying local
Windows Administrators group
Bina Nusantara University
8
DBADM Authority
DBADM = Super user for the database. No authority at
instance level
Example:
connect to sample
grant DBADM on database to user <userid>
Bina Nusantara University
9
Launching the Table Privileges Dialog
Control Center > (expand) All Databases Folder > (expand) Tables Folder > (right-click) Table > Privileges
Bina Nusantara University
10
Table Privileges Dialog
Specify privileges for
additional users
Use Tabs to choose
between specifying
privileges for Users or
Groups
Grant all privileges
Revoke all privileges
Permissions available
to grant for this
database object
“YES” = grant user permission
Bina Nusantara University
“NO” = do NOT grant user permission
“GRANT” = grant user
permission + permission to
grant this privilege to other
users
11
The PUBLIC group
ANY user id identifiable by the operating system/network
authentication service belongs automatically to the PUBLIC
group
The following are granted to PUBLIC by default:
ƒ CONNECT
ƒ CREATE TAB
ƒ IMPLICIT_SCHEMA
ƒ BINDADD
To "lock down" your system, you can revoke these privileges
from PUBLIC
Bina Nusantara University
12
GRANT and REVOKE examples
GRANT SELECT ON TABLE T1 TO USER user1
GRANT ALL ON TABLE T1 TO GROUP group1
REVOKE ALL ON TABLE T1 FROM GROUP group1
GRANT EXECUTE ON PROCEDURE p1 TO USER user1
REVOKE EXECUTE ON PROCEDURE p1 FROM USER user1
REVOKE CONNECT
REVOKE CREATETAB
REVOKE IMPLICIT_SCHEMA
REVOKE BINDADD
Bina Nusantara University
ON DATABASE FROM PUBLIC
ON DATABASE FROM PUBLIC
ON DATABASE FROM PUBLIC
ON DATABASE FROM PUBLIC
13
Extended Security (Windows only)
• To control access to DB2 system files through the
operating system
• DB2ADMNS Windows group
– This group and local administrators will have complete
access to all DB2 objects through the operating system.
• DB2USERS Windows group
– This group will have read and execute access to all DB2
objects through the operating system.
Bina Nusantara University
14