Security
A relational database management system needs to control access to instances, databases, objects, and application packages. The two steps in controlling access are authentication and authorization. Authentication occurs when you provide a user ID and password. The password is used to prove your identity. Authorization occurs when the database verifies that you are allowed to perform a certain action. Typical actions include accessing, modifying, and deleting database objects.
Authentication
Authentication is required when connecting to a database or attaching to a database instance. A user ID is needed to uniquely identify a user. A password, known only to the user, is provided to validate the user's identity. The user ID is mapped to an SQL authorization name or authid. On UNIX-based systems, a DB2 authid is derived by transforming to uppercase letters a UNIX user ID that follows DB2 naming conventions.
DB2 completes the authentication process using security facilities external to the database. There are several types of authentication. On UNIX, Linux, and Windows, DB2 can use the operating system security facility to verify the user ID and password. On the database server, the authentication type is specified in the database manager configuration file. Available authentication types on the server include:
SERVER_ENCRYPT— Encrypt the password on the client and force authentication to occur on the server.
CLIENT— Allow the client to authenticate the user. Use the TRUST_ALLCLNTS database manager parameter to indicate which clients will be allowed to authenticate on the client.
DCE— Disable the operating system from performing authentication. DCE security software must be installed and configured.
DCE_SERVER_ENCRYPT— Enable multiple authentication types including DCE, SERVER, and SERVER_ENCRYPT depending on the type specified by the client.
KERBEROS— Use Kerberos security protocol. Both the client and the server must be on operating systems that support Kerberos.
KRB_SERVER_ENCRYPT— Enable either KERBEROS authentication or SERVER _ENCRYPT depending on the type specified by the client.
The client also can specify an authentication type in the database catalog. The authentication type specified on the client should be the same as specified on the server except for DCE_SERVER_ENCRYPT and KRB_SERVER_ENCRYPT. If the server uses these authentication types, the client should specify one of the available types described previously. When connecting to a host database with DB2 connect, the client also can specify one of the following authentication types:
DCS_ENCRYPT— Encrypt the password on the client and force authentication to occur on the host database.
NOTE
DB2 UDB can log failed password attempts with the operating system, and detect when a client has exceeded the number of allowable login tries. On AIX, this is specified by the LOGINRETRIES parameter.
Authorities and Privileges
There are two types of permissions that can be given to a user—authorities and privileges. Privileges define a single permission for an authorization name, enabling a user to create or access database resources. Privileges are stored in the database catalogs. Authorities provide a method of grouping privileges and control over higher-level database manager maintenance and utility operations. Database-specific authorities are stored in the database catalogs; system authorities are associated with group membership, and are stored in the database manager configuration file for a given instance.
There are five authorities in DB2:
SYSADM— System Administration Authority gives full privileges for a database instance.
SYSCTRL— System Control Authority gives full privileges for managing the system, but does not allow access to the data.
SYSMAINT— System Maintenance Authority gives full privileges for performing maintenance, but does not allow access to the data.
LOAD— Load Table Authority gives LOAD utility or AutoLoader utility privileges to load data into tables.
DBADM— Database Administration Authority gives full privileges for a database.
The SYSADM, SYSCTRL, and SYSMAINT authorities are established using external groups specified by the database manager configuration. The configuration parameter names are SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP. Groups are security facility entities that contain members. After the user is authenticated, a list of groups to which the user belongs is obtained. If the user belongs to a group listed by one of the configuration parameters, that user will be given the appropriate authorization.
The DBADM and LOAD authorities are established using the DCL GRANT and REVOKE statements. The GRANT and REVOKE statements are also used for database privileges on database objects. These objects include indexes, packages, schemas, tables, views, nicknames, servers, table spaces, sequences, and routines. Privileges are stored in the system catalogs of the database. They can be assigned to specific users or groups. Groups provide a convenient means of performing authorization for a collection of users without having to grant or revoke privileges for each user individually.