db2v9-730-second chapte
Authentication is the first security feature you'll encounter when you attempt to
access a DB2 instance or database. DB2 authentication works closely with the
security features of the underlying operating system to verify user IDs and
passwords. DB2 can also work with security protocols like Kerberos to authenticate
users.
Authorization involves determining the operations that users and/or groups can
perform, and the data objects that they may access. A user's ability to perform
high-level database and instance management operations is determined by the
authorities that they have been assigned. The five different authority levels within
DB2 are SYSADM, SYSCTRL, SYSMAINT, DBADM, and LOAD.
Privileges are a bit more granular than authorities, and can be assigned to users
and/or groups. Privileges help define the objects that a user can create or drop.
They also define the commands that a user can use to access objects like tables,
views, indexes, and packages. New to DB2 9 is the concept of label-based access
control (LBAC), which allows more granular control of who can access individual
rows and/or columns.
以上3段话不是很懂啊!
2。db2种修改密码的方式:
db2 connect to sample user test1 using test1 password 0215 confirm 0215
3. db2 update dbm cfg using authentication server
db2 update dbm cfg using authentication server_encrypt 可以分别用下面的命令 db2 connect to sample user test1 using test1看看结果
4。DB2 authorities control the following aspects of a database security plan:
• The authority level that a user is granted
• The commands that a user is allowed to run
• The data that a user is allowed to read and/or alter
• The database objects a user is allowed to create, alter, and/or drop
5.Of the five authorities available
in DB2, SYSADM, SYSCTRL and SYSMAINT are instance-level authorities. That
means that their scope includes instance-level commands as well as commands
against all the databases within the instance. These authorities can only be assigned
to a group; you can do so through the DBM CFG file.
The DBADM and LOAD authorities are assigned to a user or group for a particular
database. This can be done explicitly using the GRANT command.
6.Users can determine what authorities and database-level privileges they have by
issuing the following command:
db2 get authorizations
7.SYSADM users
are the only users allowed to update the DBM CFG file.
SYSADM authority is controlled in the DBM CFG file via the SYSADM_GROUP
parameter. When the instance is created, this parameter is set to Administrator on
Windows (although it appears blank if you issue the command db2 get dbm cfg
). On UNIX, it is set to the primary group of the user who created the instance.
Since SYSADM users are the only users allowed to update the DBM CFG, they are
also the only ones allowed to grant any of the SYS* authorities to other groups. The authority to the group db2grp1:.
Remember, this change will not take effect until the instance is stopped and then
restarted. Also, keep in mind that if you are not currently logged in as a member of
db2grp1, you may not have authority to restart the instance! You would have to log
out and log back in with an ID in the correct group, or add your current ID to
db2grp1.
8.Obtaining SYSCTRL authority
Users with SYSCTRL authority can perform all administrative and maintenance
commands within the instance. However, unlike SYSADM users, they cannot access
any data within the databases unless they are granted the privileges required to do
so. Examples of commands a SYSCTRL user can perform against any database in
the instance are:
• db2start/db2stop
• db2 create/drop database
• db2 create/drop tablespace
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
A user with SYSADM authority can assign SYSCTRL to a group using the following
command:
db2 update dbm cfg using SYSCTRL_GROUP group name
9.Obtaining SYSMAINT authority
The commands that a user with SYSMAINT authority can issue are a subset of
those allowed to users with SYSCTRL authority. SYSMAINT users can only perform
tasks related to maintenance, such as:
• db2start/db2stop
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
Notice that users with SYSMAINT cannot create or drop databases or tablespaces.
They also cannot access any data within the databases unless they are granted the
explicit privileges required to do so.
If you have SYSADM authority, you can assign SYSMAINT authority to a group
10.Obtaining DBADM authority
DBADM authority is a database-level authority rather than an instance-level
authority. In summary, DBADM users have complete control over a database --
almost. DBADM users cannot perform such maintenance or administrative tasks as:
• drop database
• drop/create tablespace
• backup/restore database
• update db cfg for database db name
However, they can perform the following tasks:
• db2 create/drop table
• db2 grant/revoke (any privilege)
• db2 runstats (any table)
DBADM users are also automatically granted all privileges to the database objects
and their contents. Since DBADM authority is a database-level authority, it can be
assigned to both users and groups. The following commands illustrate different ways
in which you can give DBADM authority.
• db2 create database test
This command gives implicit DBADM authority on the database named
test to the user who issued the command.
• db2 connect to sample
db2 grant dbadm on database to user tst1
This command can only be issued by SYSADM users; it issues DBADM
authority to the user tst1 on the sample database. Note that the issuing
user must be connected to the sample database before granting DBADM
authority.
• db2 grant dbadm on database to group db2grp1
This command grants DBADM authority to everyone in the group
db2grp1. Again, only SYSADM users can issue this command.
11.Obtaining LOAD authority
LOAD authority is also considered a database-level authority, and can therefore be
granted to both users and groups. As the name implies, LOAD authority allows users
to issue the LOAD command against a table. The LOAD command is typically used
as a faster alternative to insert or import commands when populating a table with
large amounts of data. Depending on the type of LOAD you wish to perform, having
LOAD authority alone may not be sufficient. Specific privileges on the table may also
be required.
The following commands can be run by users with LOAD authority:
• db2 quiesce tablespaces for table
• db2 list tablespaces
• db2 runstats (any table)
• db2 load insert (must have insert privilege on table)
• db2 load restart/terminate after load insert (must have
insert privilege on table)
• db2 load replace (must have insert and delete privilege on table)
• db2 load restart/terminate after load replace (must have
insert and delete privilege on table)
Only users with either SYSADM or DBADM authority are permitted to grant or
revoke LOAD authority to users or groups. The following examples illustrate how
LOAD authority can allow our user to LOAD data into a table called sales. Assume
that the command db2 connect to sample has already been issued.
• db2 grant load on database to user tst1
db2 grant insert on table sales to user tst1
With LOAD authority and insert privilege, tst1 could issue a LOAD
INSERT or a LOAD RESTART, or TERMINATE after a LOAD INSERT
against the sales table.
• db2 grant load on database to group grp1
db2 grant delete on table sales to group grp1
db2 grant insert on table sales to group grp1
With LOAD authority, as well as delete and insert privileges, any member
of grp1 could issue a LOAD REPLACE or a LOAD RESTART, or
TERMINATE after a LOAD REPLACE against the sales table.
access a DB2 instance or database. DB2 authentication works closely with the
security features of the underlying operating system to verify user IDs and
passwords. DB2 can also work with security protocols like Kerberos to authenticate
users.
Authorization involves determining the operations that users and/or groups can
perform, and the data objects that they may access. A user's ability to perform
high-level database and instance management operations is determined by the
authorities that they have been assigned. The five different authority levels within
DB2 are SYSADM, SYSCTRL, SYSMAINT, DBADM, and LOAD.
Privileges are a bit more granular than authorities, and can be assigned to users
and/or groups. Privileges help define the objects that a user can create or drop.
They also define the commands that a user can use to access objects like tables,
views, indexes, and packages. New to DB2 9 is the concept of label-based access
control (LBAC), which allows more granular control of who can access individual
rows and/or columns.
以上3段话不是很懂啊!
2。db2种修改密码的方式:
db2 connect to sample user test1 using test1 password 0215 confirm 0215
3. db2 update dbm cfg using authentication server
db2 update dbm cfg using authentication server_encrypt 可以分别用下面的命令 db2 connect to sample user test1 using test1看看结果
4。DB2 authorities control the following aspects of a database security plan:
• The authority level that a user is granted
• The commands that a user is allowed to run
• The data that a user is allowed to read and/or alter
• The database objects a user is allowed to create, alter, and/or drop
5.Of the five authorities available
in DB2, SYSADM, SYSCTRL and SYSMAINT are instance-level authorities. That
means that their scope includes instance-level commands as well as commands
against all the databases within the instance. These authorities can only be assigned
to a group; you can do so through the DBM CFG file.
The DBADM and LOAD authorities are assigned to a user or group for a particular
database. This can be done explicitly using the GRANT command.
6.Users can determine what authorities and database-level privileges they have by
issuing the following command:
db2 get authorizations
7.SYSADM users
are the only users allowed to update the DBM CFG file.
SYSADM authority is controlled in the DBM CFG file via the SYSADM_GROUP
parameter. When the instance is created, this parameter is set to Administrator on
Windows (although it appears blank if you issue the command db2 get dbm cfg
). On UNIX, it is set to the primary group of the user who created the instance.
Since SYSADM users are the only users allowed to update the DBM CFG, they are
also the only ones allowed to grant any of the SYS* authorities to other groups. The authority to the group db2grp1:.
Remember, this change will not take effect until the instance is stopped and then
restarted. Also, keep in mind that if you are not currently logged in as a member of
db2grp1, you may not have authority to restart the instance! You would have to log
out and log back in with an ID in the correct group, or add your current ID to
db2grp1.
8.Obtaining SYSCTRL authority
Users with SYSCTRL authority can perform all administrative and maintenance
commands within the instance. However, unlike SYSADM users, they cannot access
any data within the databases unless they are granted the privileges required to do
so. Examples of commands a SYSCTRL user can perform against any database in
the instance are:
• db2start/db2stop
• db2 create/drop database
• db2 create/drop tablespace
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
A user with SYSADM authority can assign SYSCTRL to a group using the following
command:
db2 update dbm cfg using SYSCTRL_GROUP group name
9.Obtaining SYSMAINT authority
The commands that a user with SYSMAINT authority can issue are a subset of
those allowed to users with SYSCTRL authority. SYSMAINT users can only perform
tasks related to maintenance, such as:
• db2start/db2stop
• db2 backup/restore/rollforward database
• db2 runstats (against any table)
• db2 update db cfg for database dbname
Notice that users with SYSMAINT cannot create or drop databases or tablespaces.
They also cannot access any data within the databases unless they are granted the
explicit privileges required to do so.
If you have SYSADM authority, you can assign SYSMAINT authority to a group
10.Obtaining DBADM authority
DBADM authority is a database-level authority rather than an instance-level
authority. In summary, DBADM users have complete control over a database --
almost. DBADM users cannot perform such maintenance or administrative tasks as:
• drop database
• drop/create tablespace
• backup/restore database
• update db cfg for database db name
However, they can perform the following tasks:
• db2 create/drop table
• db2 grant/revoke (any privilege)
• db2 runstats (any table)
DBADM users are also automatically granted all privileges to the database objects
and their contents. Since DBADM authority is a database-level authority, it can be
assigned to both users and groups. The following commands illustrate different ways
in which you can give DBADM authority.
• db2 create database test
This command gives implicit DBADM authority on the database named
test to the user who issued the command.
• db2 connect to sample
db2 grant dbadm on database to user tst1
This command can only be issued by SYSADM users; it issues DBADM
authority to the user tst1 on the sample database. Note that the issuing
user must be connected to the sample database before granting DBADM
authority.
• db2 grant dbadm on database to group db2grp1
This command grants DBADM authority to everyone in the group
db2grp1. Again, only SYSADM users can issue this command.
11.Obtaining LOAD authority
LOAD authority is also considered a database-level authority, and can therefore be
granted to both users and groups. As the name implies, LOAD authority allows users
to issue the LOAD command against a table. The LOAD command is typically used
as a faster alternative to insert or import commands when populating a table with
large amounts of data. Depending on the type of LOAD you wish to perform, having
LOAD authority alone may not be sufficient. Specific privileges on the table may also
be required.
The following commands can be run by users with LOAD authority:
• db2 quiesce tablespaces for table
• db2 list tablespaces
• db2 runstats (any table)
• db2 load insert (must have insert privilege on table)
• db2 load restart/terminate after load insert (must have
insert privilege on table)
• db2 load replace (must have insert and delete privilege on table)
• db2 load restart/terminate after load replace (must have
insert and delete privilege on table)
Only users with either SYSADM or DBADM authority are permitted to grant or
revoke LOAD authority to users or groups. The following examples illustrate how
LOAD authority can allow our user to LOAD data into a table called sales. Assume
that the command db2 connect to sample has already been issued.
• db2 grant load on database to user tst1
db2 grant insert on table sales to user tst1
With LOAD authority and insert privilege, tst1 could issue a LOAD
INSERT or a LOAD RESTART, or TERMINATE after a LOAD INSERT
against the sales table.
• db2 grant load on database to group grp1
db2 grant delete on table sales to group grp1
db2 grant insert on table sales to group grp1
With LOAD authority, as well as delete and insert privileges, any member
of grp1 could issue a LOAD REPLACE or a LOAD RESTART, or
TERMINATE after a LOAD REPLACE against the sales table.