2.3 - DB2 Database Security.odp

7/23/2019 2.3 - DB2 Database Security.odp

http://slidepdf.com/reader/full/23-db2-database-securityodp 1/26

© 2010 IBM Corporation

Information Management

Information Management Ecosystem PartnershipsIBM Canada Lab

Summer/Fall 2010

DB2®

Security



2 © 2010 IBM Corporation


Agenda

■ Authentication

■ Trusted Context

■ Authorization

■ Authorities

■ Privileges

■ Label-Based Access Control (LBAC

■ !oles





DB2 Security !"er"ie#

■ There are t"o main mechanisms (and subcategories "ithin#B$ that allo" %ou to im&lement a securit% &lan

■ Authentication

■ Authorization $ Aut%oritie&

$'ri"ilege&

sam&leTable

Authentication Authorization

Did (o%n enter t%ecorrect pa&&#ord)

Doe& (o%n %a"e aut%ori*ation toacce&& data in +&ampleta,le-)

CONNECT TO SAMPLE

USER John USING

password;

select * from sampletable

'AMPL #B



. © 2010 IBM Corporation


Aut%entication

■ #etermining that %ou are "ho %ou sa%

%ou are

■ Can rel% on the o&erating s%stem)sauthentication mechanism

■ Can rel% on a se&arate &roduct

■ *here and ho" #B$ authenticates users $S $S3C4'5 $C6I35

$7B!S $etc888Client 'erver

A+T,TICATI. / '!0!


Client 'erver

A+T,TICATI. / CLIT

CONNECT TO SAMPLE

USER John USING

password;


CONNECT TO SAMPLE

USER John USING

password;





Configuration of Aut%entication on DB2 Ser"er

■ Authentication t%&e is defined in the #atabase Manager

configuration file (#BM C12

■ To configure ho" and "here #B$ authenticates users3 setthe authentication &arameter at the #B$ server

db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT"

db2 "GET DBM CFG"



: © 2010 IBM Corporation


5ru&ted Conte;t

■ Provide a means "hereb% the end-user identit% in a three-tier

environment can be easil% and efficientl% &ro&agated to thedatabase server

■ Introduce the conce&t of a trusted context bet"een adatabase server and a s&ecific a&&lication tier

■ *h% not 4ust 5ee& one common user I#6 $6o&& of u&er identity for auditing purpo&e& $<ard to di&tingui&% action& needed ,y app "& needed ,y

u&er $Middle tier i& +o"er granted- pri"ilege&

$If ID i& compromi&ed= %ig% ri&> of &ecurity e;po&ure


http://slidepdf.com/reader/full/23-db2-database-securityodp 7/26? © 2010 IBM Corporation


5ru&ted Conte;t

■ Im&lementation Considerations

$@&er& need to ,e identified indi"idually ,ut do not #ante;pen&i"e ne# connection&

$<o# do #e identify a tru&ted &ource)

■ 'olution7 Create a 8Trusted Context9

$A tru&ted relation&%ip ,et#een t%e DB and t%e application S#itc% current u&er ID

Acuire additional pri"ilege& "ia role in%eritance

$elation&%ip identified ,y connection attri,ute& I' Addre&&= Domain 3ame= Aut%ori*ation ID= Data

ncryption u&ed

CREATE TRUSTED CONTEXT ctxtBASED UPON CONNECTION USING SYSTEM AUTHID smithATTRIBUTES (ADDRESS ‘192.168.2.27’)DEFAULT ROLE managerRole ENABLE


http://slidepdf.com/reader/full/23-db2-database-securityodp 8/26 © 2010 IBM Corporation


Aut%ori*ation

■ 0erifies if an authorization I# has sufficient &rivileges to

&erform the desired database o&eration $Aut%oritie&

'ro"ide a #ay to group pri"ilege& and to controlmaintenance and utility operation& S4SADM= DBADM=SCADM= S4SMAI35= S4SC56= E

$'ri"ilege& Allo# a certain action to ,e ta>en on a data,a&e o,Gect

S6C5= @'DA5= D65= etcE

6BAC pro"ide& a more granular approac%= granting

read/#rite acce&& to indi"idual ro#&/column&


http://slidepdf.com/reader/full/23-db2-database-securityodp 10/2610 © 2010 IBM Corporation


Aut%oritie&

■ Instance-level Authorities

$S4SADM= S4SC56= S4SMAI35= S4SM!3 $g S4SADM J control o"er all re&ource& created and

maintained ,y t%e Data,a&e Manager in&tance

■ #atabase-level Authorities

$DBADM= SCADM= SK6ADM= L6MADM= '6AI3= ACCSSC56= DA5AACCSS= etc

':'MAIT

':'CT!L

':'A#M

'CA#M

L.A#

#BA#M

Instance




Information ManagementI B M D B 2 H

; <

' % s t e m A d m i n i s t r a t o r ( ' : ' A # M a u t h o r i t %

< i g % e & t l e " e l o f a d m i n i & t r a t i " e a u t % o r i t y a " a i l a , l e 8 ! n l y S 4 S A D M i & a l l o # e d t o p e r f o r m t % e & e t a & > &

- M i g r a t e a d a t a b a s e f r o m a p r e " i o u & " e r & i o n t o D B 2 1 e r H 8

- M o d i f % t h e & a r a m e t e r v a l u e s o f t h e # B M C 1 2 f i l e

a & & o c i a t e d # i t % a n i n & t a n c e J i n c l u d i n g & p e c i f y i n g # % i c %

g r o u p & % a " e S 4 S D B A = S 4 S C 5 0 6 = S 4 S M A I 3 5 = a n d

S 4 S M ! 3 a u t % o r i t y 8

- N i " e g r a n t F / 0 e " o > e # B A # M a n d ' C A # M a u t h o r i t % t o

i n d i " i d u a l u & e r & a n d / o r g r o u p & 8

; 8 N r a n t i n g S 4 S A D M a u t % o r i t y t o t % e g r o u p g r & ;

- d b 2 " U P D A T D ! # $ % U & ' ( % & ) & A D * % R + U P g r , 1 "





Sy&tem Admini&trator S4SADM Aut%ority

■ ,ighest level of administrative authorit% at the instance level

■ .nl% a user "ith ':'A#M authorit% can &erform thefollo"ing functions7

$@pgrade and re&tore a data,a&e $C%ange t%e data,a&e manager configuration file including

&pecifying t%e group& %a"ing S4SADM= S4SC56=S4SMAI35= or S4SM!3 aut%ority

■ #oes not im&licit get #BA#M authorit%3 so does notautomaticall% have access to data

■

'&ecified b% the s-sadm*gro, &arameter in the #BM C12

■ xam&le7 2ranting ':'A#M authorit% to the grou& =gr&=7

UPDAT D!" #$% U&'(% &)&AD"*%R+UP gr,





; >

# a t a b a s e A d m i n i s t r a t o r ( # B A # M a u t h o r i t %

D B A D M i & a d a t a , a & e J l e " e l a u t % o r i t y a n d c a n , e

a & & i g n e d , y S 4 S A D M t o , o t % u & e r & a n d g r o u p & 8- g r a n t d b a d m o n d a t a b a s e t o . s e r . s e r 1

- g r a n t d b a d m o n d a t a b a s e t o g r o . , g r o . , 1

D B A D M u & e r & % a " e a l m o & t c o m p l e t e c o n t r o l o " e r t % ed a t a , a & e , u t c a n n o t p e r f o r m m a i n t e n a n c e o r

a d m i n i & t r a t i " e t a & > &

- d r o & d a t a b a s e - - d r o & ? c r e a t e t a b l e s & a c e

- b a c 5 u & ? r e s t o r e d a t a b a s e - - u & d a t e d b c f g f o r d a t a b a s e

C a n p e r f o r m

- c r e a t e ? d r o & t a b l e - - g r a n t ? r e v o 5 e ( a n % & r i v i l e g e



1. © 2010 IBM Corporation


Data,a&e Admini&trator DBADM Aut%ority

■ Administrative authorit% over a single database

■ #oes not automaticall% included the abilit% to access data $ A,ility to create o,Gect& and i&&ue data,a&e command& $Create= alter= and drop nonJ&ecurity related data,a&e o,Gect& $ead log file&

$Create= acti"ate= and drop e"ent monitor& $Kuery t%e &tate of a ta,le &pace $@pdate log %i&tory file& $Kuie&ce a ta,le &pace $eorgani*e a ta,le

$Collect catalog &tati&tic& u&ing t%e @3S5A5S utility■ #BA#M authorit% can onl% be granted or revo5ed b% the

'CA#M

■ Can be granted to a user3 a grou&3 or a role





Security Admini&trator SCADM Aut%ority

■ Creates and manages securit% related database ob4ects over

a single database7 $Nrant and re"o>e data,a&e pri"ilege& and aut%oritie& $Create and drop

Security la,el component&

Security policie&

Security la,el& 5ru&ted conte;t&

Audit policie&

ole&

$;ecute audit routine&

■ ,as no inherent abilit% to access data stored in user tables

■ Can onl% be granted b% a user "ith 'CA#M authorit%



1: © 2010 IBM Corporation


$ ;



1? © 2010 IBM Corporation


'ri"ilege&

■ 'chema Privilege

$ CA5I3 allo#& t%e u&er to create o,Gect& #it%in t%e &c%ema $ A65I3 allo#& t%e u&er to alter o,Gect& #it%in t%e &c%ema

$ D!'I3 allo#& t%e u&er to drop o,Gect& from #it%in t%e &c%ema

■ Tables&ace Privilege

$ @S allo#& t%e u&er to create ta,le& #it%in t%e ta,le&pace

■ Table and 0ie" Privilege

$ C!35!6 pro"ide& t%e u&er #it% all pri"ilege& for a ta,le or "ie# including t%ea,ility to drop it= and to grant and re"o>e indi"idual ta,le pri"ilege&

D65 allo#& t%e u&er to delete ro#& from a ta,le or "ie#8

I3S5 allo#& t%e u&er to in&ert a ro# into a ta,le or "ie#= and to run t%eIM'!5 utility8

S6C5 allo#& t%e u&er to retrie"e ro#& from a ta,le or "ie#= to create a "ie#on a ta,le= and to run t%e '!5 utility8

@'DA5 allo#& t%e u&er to c%ange an entry in a ta,le= a "ie#= or for one or more&pecific column& in a ta,le or "ie#

$ 5a,le !nly 'ri"ilege& A65 allo#& t%e u&er to modify on a ta,le

I3D allo#& t%e u&er to create an inde; on a ta,le

F3CS allo#& t%e u&er to create and drop a foreign >ey= &pecifying t%eta,le a& t%e parent in a relation&%ip





'ri"ilege&

■ Pac5age Privilege

$C!35!6 pro"ide& t%e u&er #it% t%e a,ility to re,ind= drop= ore;ecute a pac>age

BI3D allo#& t%e u&er to re,ind or ,ind t%at pac>age and to add ne#pac>age "er&ion& of t%e &ame pac>age name and creator

C@5 allo#& t%e u&er to e;ecute or run a pac>age

■ Index Privileges $C!35!6 allo#& t%e u&er to drop t%e inde;

■ 'e@uence Privilege

$@SAN allo#& t%e u&er to u&e 35 A6@ and 'I!@SA6@ e;pre&&ion& for t%e &euence

$A65 allo#& t%e u&er to perform ta&>& &uc% a& re&tarting t%e&euence or c%anging t%e increment for future &euence "alue&

■ !outine Privilege

$C@5 allo#& t%e u&er& to in"o>e a routine= create a functiont%at i& &ourced from t%at routine= and reference t%e routine in any

DD6 &tatement &uc% a& CA5 IL or CA5 5INN



1H © 2010 IBM Corporation


Nranting 'ri"ilege&

■ x&licit

$ 'ri"ilege& can ,e e;plicitly gi"en to u&er& or group& "ia t%e NA35 and !7command&

■ Im&licit

$ DB2 may grant pri"ilege& automatically #%en certain command& are i&&ued

■ Indirect

$ 'ac>age& contain SK6 &tatement& in an e;ecuta,le format8 5%e u&er only reuire&C@5 pri"ilege to run t%em

$ ;ample pac>age1 contain& t%e follo#ing &tatic SK6 &tatement&

$ In t%i& ca&e a u&er #it% C@5 pri"ilege on pac>age1 i& indirectly grantedS6C5 and I3S5 pri"ilege on ta,le 5S5

select * from test

insert into test values (1,2,3)

db2 grant select on table db2inst1.person to user employee

db2 create table mytable User automatically gainsfull access to the table





Nranular 'ri"ilege&

■ *h% granular &rivileges6

$5%e need to re&trict acce&& to &pecific portion of data in ata,le

■ ,o" to im&lement6

$0ie"s1Simulate a ne# ta,le2Create a "ie# &u,&et of t%e data from t%e ,a&e ta,le

Aut%ori*e t%e u&er to acce&& t%e "ie#.e"o>e acce&& from t%e u&er to t%e ,a&e ta,le

$LBAC 6a,el Ba&ed Acce&& Control Can re&trict read/#rite acce&& to ro#& and/or column& of

a ta,le





Nranular 'ri"ilege& $ ie#&

■ Provides a different "a% of

loo5ing at data in one or moretables it is a nameds&ecification of a result table

■ Allo"s multi&le users to see

different &resentations of thesame data

■ ice for sim&le securit% &olic%3but com&licated to manage inlarge settings

6AS53AM L!7DI !FFIC

Smit% A0 5oronto

Crnic A0 ancou"er

(o%n&on B1 Calgary

Carl&on C2 !tta#a

'ogue B1 5oronto

ing B1 ictoria

Bari&ic A0 !tta#a

M'6!4I3F! IL

6AS53AM L!7DI !FFIC SA6A4 B!3@S

Smit% A0 5oronto :0000 2900

Crnic A0 ancou"er :9000 1900

(o%n&on B1 Calgary 99000 1000

Carl&on C2 !tta#a ?0000 2200

'ogue B1 5oronto 90000 200

ing B1 ictoria 92000 000

Bari&ic A0 !tta#a :?000 1200

M'6!4 5AB6

#RAT /'0 "P+)*'($+ A& &#T A&T(A"3 0+R4D'/3 +$$'# $R+" "P+)5

6AS53AM L!7DI !FFIC SA6A4 B!3@S

Smit% A0 5oronto :0000 2900

Crnic A0 ancou"er :9000 1900

(o%n&on B1 Calgary 99000 1000

Carl&on C2 !tta#a ?0000 2200

'ogue B1 5oronto 90000 200

ing B1 ictoria 92000 000

Bari&ic A0 !tta#a :?000 1200

M'6!4 5AB6

#RAT /'0 "P+)*'($+ A& &#T A&T(A"3 0+R4D'/3 +$$'# $R+" "P+)5





Nranular 'ri"ilege& $ 6a,el Ba&ed Acce&& Control 6BAC

■ Access Control at the table level via traditional &rivileges

$Doe& t%e u&er %old t%e reuired pri"ilege to perform t%ereue&ted operation on t%e ta,le)

■ Label Based Access Control $Set& &ecurity la,el& at t%e ro# le"el= column le"el or ,ot%

■ ,o" does LBAC "or56 $@&er& and !,Gect& ro#&/column& are a&&igned la,el& t%at

are later compared to aut%ori*e acce&&

mployee < Manager

#PT;

#PT$





ole&

■ #atabase ob4ect that grou&s together one or more &rivileges and

can be assigned to users3 grou&s3 P+BLIC or to other roles via a2!AT statement

■ Benefits

$SCADM& control acce&& at a le"el of a,&traction t%at i& clo&e tot%e &tructure of t%e organi*ation8 g8 Manager= <= mployee

$5%e a&&ignment and maintenance of pri"ilege& i& &implified8 @&er role& c%ange e"o>e old role and grant ne# role $ not

&pecific pri"ilege&

ole %a& more re&pon&i,ility All u&er& in%erit t%e ne# pri"ilege&

Dayna inherits all privileges and labels of the

role ‘manager



2. © 2010 IBM Corporation


ole& $ Implementation

The Basics

■ 'te& ; D Create !ole

■ 'te& $ D Assign Privileges toa !ole

■ 'te& > D 2rant !ole to +sers

■ 'te& E D !evo5e !ole asecessar%

%RA(T R+ D/+PR T+U&R !+!3 U&R A'#

%RA(T &#T +( TA!&R/R T+ R+D/+PR

#RAT R+ D/+PR

R/+4 R+ D/+PR$R+" U&R !+!

xtra 1eatures

■ !ole Admin .&tion $ Allo#& t%e &pecified u&er to

grant or re"o>e t%e role to orfrom ot%er&

■ !ole ,ierarchies $ A role %ierarc%y i& formed

#%en one role i& grantedmem,er&%ip in anot%errole8

%RA(T R+ D/+PR T+ U&R!+! 0'T AD"'( +PT'+(

#RAT R+ D+#T+R#RAT R+ &P#'A'&T

#RAT R+ &UR%+(

%RA(T R+ D+#T+R T+ R+&P#'A'&T

%RA(T R+ &P#'A'&T T+

R+ &UR%+(





Summary

■ Authentication

$erifie& t%e u&er are #%o t%ey &ay t%ey are u&ing t%eunderlying operating &y&tem or ot%er &ecurity protocol&

■ Trusted Context $Sol"e& t%e pro,lem& a&&ociated #it% lo&& of u&er identity in a

Jtiered en"ironment■ Authorization

$Control& t%e acce&& to data,a&e o,Gect&

■ 2ranular Privileges

$ Acce&& to &pecific portion of data in a ta,le can ,e re&trictedu&ing "ie#& and 6BAC

■ !oles $Allo#& ea&y management of pri"ilege&





Information Management Ecosystem PartnershipsIBM Canada Lab

Summer/Fall 2010Questions?

E-mail: [email protected]: “DB2 Academic Wo!sho"#

2.3 - DB2 Database Security.odp

Documents

Transcript of 2.3 - DB2 Database Security.odp