10.4. Administrative Authorities

Once the user is successfully authenticated, DB2 checks to see if the user has the proper authority for the requested operations, such as performing database manager maintenance operations and managing database objects. Figure 10.12 shows the authorities supported in DB2 and Table 10.7 describes each of them.

Table 10.7. Descriptions of DB2 Administrative Authority Levels
DB2 Administrative AuthorityDescription
SYSADMThese users have the highest authority level and full privileges for managing the instance. They also have access to all data in the underlying databases.
SYSCTRLThese users have certain privileges in managing the instance, its databases, and database objects. They can create new databases, but do not have access to the data. For example, they cannot issue statements such as DELETE FROM employee or SELECT * FROM employee.
SYSMAINTSimilar to SYSCTRL, SYSMAINT users have certain privileges in managing the instance, its databases, and database objects. However, they cannot create new databases and do not have access to the data. For example, these users cannot issue statements such as DELETE FROM employee or SELECT * FROM employee.
SYSMONThese users can turn snapshot monitor switches on, collect snapshot data, and access other database system monitor data. No other task can be performed unless the required authority or privileges are granted to the same user by other means.
DBADMDatabase-level authority that allows users to perform administrative tasks on the specified database. Note that they also have full data access to the database
LOADThese users can only run the load utility against the specified database. Before the user can load data into a table, he or she must also have the privilege to INSERT and/or DELETE on the target table. (Database object privileges are discussed in more detail in the next section.)
CONNECTGrants users access the database. Without the CONNECT authority, a user cannot connect to the database even though he or she is successfully authenticated by the security facility.
BINDADDAllows users to create new packages in the database.
CREATETABAllows users to create new tables in the database.
CREATE_NOT_FENCED_ROUTINEAllows users to create nonfenced routines such as user-defined functions and stored procedures. When a nonfenced routine is invoked, it executes in the database manager's process rather than in its own address space.
IMPLICIT_SCHEMAAllows users to create a schema implicitly via database object creation. For example, if bob wants to create a table jeff.sales and the schema jeff does not already exist, bob needs to hold the IMPLICIT_SCHEMA authority for this database.
QUIESCE_CONNECTAllows users to access the database while it is quiesced. When a database is quiesced, only users with SYSADM, DBADM, and QUIESCE_CONNECT authorities can connect to the database and perform administrative tasks.
CREATE_EXTERNAL_ROUTINEAllows users to create routines written in external languages such as C, Java, and OLE.

Figure 10.12. DB2 administrative authority levels


To give you a better idea of what the system and DBADM authorities can and cannot do, Table 10.8 summarizes some common functions and the authorities required to perform them. For functions that are not listed here, refer to the DB2 manuals. The manuals clearly list the authorities and privileges needed to execute commands and SQL statements.

Table 10.8. Summary of DB2 Administrative Authorities
FunctionSYSADMSYSCTRLSYSMAINTSYSMONDBADM
Update Database Manager Configuration parametersYESNONONONO
Grant/revoke DBADM authorityYESNONONONO
Establish/change SYSCTRL authorityYESNONONONO
Establish/change SYSMAINT authorityYESNONONONO
Force users off the databaseYESYESNONONO
Create/drop databasesYESYESNONONO
Restore to new databaseYESYESNONONO
Update database configuration parametersYESYESYESNONO
Back up databases/table spacesYESYESYESNONO
Restore to existing databaseYESYESYESNONO
Perform roll forward recoveryYESYESYESNONO
Start/stop instancesYESYESYESNONO
Restore table spacesYESYESYESNONO
Run tracesYESYESYESNONO
Obtain monitor snapshotsYESYESYESYESNO
Query table space statesYESYESYESNOYES
Prune log history filesYESYESYESNOYES
Quiesce table spacesYESYESYESNOYES
Quiesce databasesYESNONONOYES
Quiesce instancesYESYESNONONO
Load tablesYESNONONOYES
Set/unset check pending statusYESNONONOYES
Create/drop event monitorsYESNONONOYES

10.4.1. Managing Administrative Authorities

Now that you understand the roles of different authorities in DB2, it's time to show you how to “give” a user or a group of users an authority. The verb give is used because a user receives the system and database authorities through different commands and statements.

Recall that SYSADM, SYSCTRL, SYSMAINT, and SYSMON are system authorities for an instance. You set these with the Database Manager Configuration parameters by assigning a user group defined in the operating system or security facility to the associated parameters. The following are the entries for the configuration parameters:

SYSADM group name          (SYSADM_GROUP) =
SYSCTRL group name         (SYSCTRL_GROUP) =
SYSMAINT group name        (SYSMAINT_GROUP) =
SYSMON group name          (SYSMON_GROUP) =

On Windows, the parameters are set to NULL, which implies that members of the Windows Administrators group own all the system authorities. On Linux and UNIX systems, the primary group of the instance owner is the default value for all the SYS*_GROUP.

To set any of the system groups, you use the update dbm command. For example, if admgrp and maintgrp are valid groups, the following command configures the SYSADM_GROUP and SYSMAINT_GROUP:

						update dbm cfg using sysadm_group admgrp sysmaint_group maintgrp

This command does not validate the existence of the group. It is your responsibility to enter a valid group name. To reset them to the default value of NULL, specify:

						update dbm cfg using sysadm_group NULL

NOTE

Resetting DBM and DB configuration parameters to the default value, you must use NULL in uppercase. DB2 treats the lowercase null as an input value.


Since the SYS*_GROUP parameters are not configurable online, you need to stop and restart the instance for the changes to take effect.

You grant and revoke database authorities with the GRANT and REVOKE statements to a user or group of users. Figures 10.13 and 10.14 show the syntax of these statements, and Figure 10.15 illustrates how to use them.

Figure 10.13. GRANT statement for database authorities
          .-,-----------------------------.
          V                               |
>>-GRANT----+-BINDADD-------------------+-+--ON DATABASE-------->
            +-CONNECT-------------------+
            +-CREATETAB-----------------+
            +-CREATE_EXTERNAL_ROUTINE---+
            +-CREATE_NOT_FENCED_ROUTINE-+
            +-IMPLICIT_SCHEMA-----------+
            +-DBADM---------------------+
            +-LOAD----------------------+
            '-QUIESCE_CONNECT-----------'

       .-,---------------------------------.
       V                                   |
>--TO----+-+-------+--authorization-name-+-+-------------------><
         | +-USER--+                     |
         | '-GROUP-'                     |
         '-PUBLIC------------------------'

Figure 10.14. REVOKE statement for database authorities
           .-,-----------------------------.
           V                               |
>>-REVOKE----+-BINDADD-------------------+-+--ON DATABASE------->
             +-CONNECT-------------------+
             +-CREATETAB-----------------+
             +-CREATE_EXTERNAL_ROUTINE---+
             +-CREATE_NOT_FENCED_ROUTINE-+
             +-IMPLICIT_SCHEMA-----------+
             +-DBADM---------------------+
             +-LOAD----------------------+
             '-QUIESCE_CONNECT-----------'

         .-,---------------------------------.
         V                                   |  .-BY ALL-.
>--FROM----+-+-------+--authorization-name-+-+--+--------+-----><
           | +-USER--+                     |
           | '-GROUP-'                     |
           '-PUBLIC------------------------'

Figure 10.15. Examples of granting and revoking database authorities
						CONNECT TO sample;
						GRANT IMPLICIT_SCHEMA, CREATETAB ON DATABASE TO USER john;
						GRANT LOAD ON DATABASE TO GROUP loadgrp, USER john;
						GRANT BINDADD ON DATABASE TO PUBLIC;
						REVOKE LOAD ON DATABASE FROM GROUP loadgrp;
						REVOKE CREATETAB ON DATABASE FROM PUBLIC;

You must first connect to the target database before you specify one or more authorities you want to grant or revoke. The keywords USER and GROUP are optional for both GRANT and REVOKE statements. However, on Linux and UNIX, if you have a user ID and group name defined with the same name, you must specify USER or GROUP explicitly; otherwise you will receive an error message.

Notice that the last example of Figure 10.15 uses the keyword PUBLIC is used. PUBLIC is not the name of a group defined in the operating system or in the external security facility; it is a special group to which everyone belongs. PUBLIC by default receives a few database authorities and/or database object privileges depending on the type of operations performed. Refer to the next section for more information about implicit privileges.

The REVOKE statement uses the BY ALL option as its default. This means that this command revokes each named authority (as well as privileges—that will be discussed later in this chapter) from all named users and/or groups who were explicitly granted those authorities (and privileges). However, there is no cascade effect to also revoke authorities (and privileges) that were implicitly granted. Stay tuned for the implicit privileges discussion in the following section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.141.219