DB2 Introduction - 04 Database Security.ppt
-
Upload
repentchristian -
Category
Documents
-
view
243 -
download
0
Transcript of DB2 Introduction - 04 Database Security.ppt
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 1/41
IBM Software Group
Olaf Depper ([email protected]) October 2004 © 2004 IBM Corporation
Introduction To IBM Universal Database or!inu"# U$I% &nd 'indows
4( Database Securit)
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 2/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
&-enda
Database Securit)
+ &ut.entication
+ &ut.orities
+ /rivile-es
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 3/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 Securit) Mec.aniss
T.ere are t.ree ain ec.aniss wit.in DB2 t.at allow a DB& to
ipleent a database securit) plan1
+ Authentication
DB2 aut.entication wor3s closel) wit. t.e securit) features of t.e
underl)in- operatin- s)ste to verif) user IDs and passwords
+ Authorization
&ut.oriation involves deterinin- t.e operations t.at users and5or
-roups can perfor# and t.e data ob6ects t.at t.e) a) access + Privileges
/rivile-es .elp define t.e ob6ects t.at a user can create or drop( T.e)
also define t.e coands t.at a user can use to access ob6ects
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 4/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.entication
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 5/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 uses a cobination of1
+ 7"ternal securit) service
+ Internal access control inforation
&ut.entication
+ Identif) t.e user
C.ec3 entered usernae and password
+ Done b) securit) facilit) outside DB2 8/art of t.e ,S# DC7# 9erberos :;
&ut.oriation + C.ec3 if aut.enticated user a) perfor re<uested operation
+ Done b) DB2 facilities
Inforation stored in DB2 catalo-# DBM confi-uration file
DB2 &ut.entication =s( &ut.oriation
)Table
db2 connect to mydb
user linda using pwd
db2 "select * from mytable"
Authorization:
Does !inda .ave an
aut.oriation to perfor
S7!7CT on )Table>
Authentication:
Is pwd t.e
correct password
for linda>
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 6/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.entication
DB2 aut.entication controls t.e followin- aspects of a database
securit) plan1
+ '.o is allowed access to t.e instance and5or database
+ '.ere and .ow a user?s password will be verified
It does t.is wit. t.e .elp of t.e underl)in- operatin- s)ste
securit) features w.enever an attach or connect coand is
issued
+ &n attac. coand is used to connect to t.e DB2 instance
+ & connect coand is used to connect to a database wit.in a
DB2 instance
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 7/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.entication T)pes
&ut.entication t)pes are used b) DB2 to deterine w.ere
aut.entication is to ta3e place
T.e followin- table suaries t.e available DB2 aut.entication
t)pes
Types Description
S7@=7@ Authentication takes place on the server
S7@=7@A7$C@/T Authentication takes place on the server.Passwords are encrypted on the client beforebeing sent to the server
C!I7$T Authentication takes place on the client machine97@B7@,S Authentication is performed by the Kerberos
security software
9@BAS7@=7@A7$C@/T Authentication is performed by Kerberossecurity software if the client settingKERER!". !therwise# "ER$ER%E&'R(P) isused
* e f au l t f o r " AP
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 8/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Settin- &ut.entication ,n T.e Server
&ut.entication is set on t.e database server wit.in t.e Database
Mana-er Confi-uration 8DBM CG; file usin- t.e
&UT7$TIC&TI,$ paraeter
7"aple1
+ To view t.e aut.entication paraeter in t.e confi-uration file
db2 get dbm cfg
+ To alter t.e aut.entication paraeter to S7@=7@A7$C@/T1
db2 update dbm cfg using authenticationSERVER_ENCRYPT
db2stop
db2start
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 9/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Settin- &ut.entication ,n T.e Client
T.e client aut.entication settin- ust atc. t.at of t.e database
server to w.ic. t.e client is connectin-
+ 8wit. t.e e"ception of 9@BAS7@=7@A7$C@/T;
Client aut.entication is set usin- t.e catalo- database coand
7"aple1
+ !et?s assue t.e server aut.entication t)pe is set to S7@=7@( T.e
followin- coand would t.en be issued to catalo- t.e server
database naed sample:db2 catalog database sample at node nd1
authentication serer
+ If t.e aut.entication t)pe is not specified# t.e client will tr) to use
S7@=7@A7$C@/T b) default
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 10/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Dealin- 'it. Untrusted Clients
If t.e server or -atewa) ac.ine .as aut.entication set to C!I7$T# t.is
iplies t.at t.e client is e"pected to aut.enticate a user?s ID and
password
owever# soe client ac.ines a) not .ave operatin- s)stes wit.
native securit) features
+ Suc. untrusted clients include DB2 clients runnin- on 'indows E
T.ere are two additional paraeters in t.e DBM CG file used to
deterine w.ere aut.entication s.ould ta3e place w.en t.e server or
-atewa) aut.entication et.od is set to C!I7$T and untrusted clientsare atteptin- to connect to t.e database or attac. to t.e DB2 instance
+ T@USTA&!!C!$TS
+ T@USTAC!$T&UT
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 11/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Dealin- 'it. Untrusted Clients 8ContFd;
T@USTA&!!C!$TS
+ Decide w.et.er to trust all clients
7S1 &ll clients# w.et.er or not t.e) are trusted# are forced toaut.enticate at t.e client
$,1 &ll untrusted clients will be aut.enticated at t.e server 8eanin-t.at a user ID and password ust be provided; + all trusted clientswill be aut.enticated at t.e client ac.ine
D@D&,$!: Trust onl) clients t.at are runnin- on iSeries or Seriesplatfors 8i(e(# D@D& clients; + an) ot.er clients ust provide user
ID and password
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 12/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Dealin- 'it. Untrusted Clients 8ContFd;
T@USTAC!$T&UT
+ '.ere will t.e aut.entication ta3e place w.en a user ID and passwordare supplied and aut.entication t)pe is C!I7$T
C!I7$T1 &ut.entication is done at t.e client a user ID and
password are not re<uired
S7@=7@1 &ut.entication is done at t.e server if a user ID andpassword are suppliedIf no user ID and password are supplied# t.e aut.entication will ta3eplace at t.e client
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 13/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Database &ut.entication + 7"aple
!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N SERVER_ENCRYPT
+ db2 connect to sample
,nl) possible on database server
&ll clients will be aut.enticated at t.e Server + no connect possiblewit.out suppl)in- user ID and password fro a client ac.ineConnection data is send encr)pted fro t.e client to t.e server
!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N C+(ENT
T)R!ST_#++C+NTS N* + db2 connect to sample user ,ohn using pass
&ut.entication on trusted Client
&ll untrusted clients will be aut.enticated at t.e Server
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 14/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Database &ut.entication + 7"aple
!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N C+(ENT
T)R!ST_#++C+NTS N* TR!ST_C+NT#!T) C+(ENT
+ db2 connect to sample user ,ohn using pass
&ut.entication on Client + db2 connect to sample
&ut.entication on Client
!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N C+(ENT
T)R!ST_#++C+NTS N* TR!ST_C+NT#!T) SERVER
+ db2 connect to sample user ,ohn using pass
&ut.entication on Server
+ db2 connect to sample
&ut.entication on Client
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 15/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Database &ut.entication + 'indows
DB2 for 'indows e"ploits t.e native 'indows securit) s)ste to
aut.enticate users
DB2 uses 'indows to attept to aut.enticate a user in t.e followin-
order of user inforation1
H( !ocal Securit) &ccess Mana-er 8S&M;
2( Doain Controller
*( Trusted Doain Controller
+ 7"aple1
If t.e aut.entication t)pe is S7@=7@# t.e DB2 server attepts to aut.enticate t.e userat t.e server ac.ine
If t.e user is not defined in t.e server ac.ineFs S&M# t.e aut.entication will be
attepted on t.e doain controller
If t.e user is not defined on t.e doain controller# t.e doain controller of t.e trusted
doains is used
If t.e user is not defined in t.e trusted doain# t.e aut.entication will fail
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 16/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
&ut.entication In & S&/ 7nvironent
*atabase
"erver
DSCDB(C,$
dispJwor3(e"e
User:
<SID>ADM
'onnect to "+* user "AP,"+*- using PA""!R*
DSCDBU/
,SK&/I7ncr)ptK5Decr)pt
&l-orit.
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 17/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
&ut.entication In & S&/ 7nvironent 8ContFd;
In a S&/ environent# t.e dispJwor3 processes are connected to t.e
database as user sapr*5 sapLsid
+ Soe database operations are also perfored b) user Lsidad
Because an interactive lo-on is not possible# an encr)pted passwordfile is used to allow users access to t.e database
T.e password file is called dscdb(conf and is located in t.e -lobal
director) of t.e 5usr5sap file s)ste
+ T.e db2Lsid user needs read access to t.e password file
T.e password file is created b) usin- t.e dscdbup tool
+ /lease reeber1 ,nce )ou c.an-e t.e password of
sapr*5sapLsid and5or Lsidad on t.e operatin- s)ste level )ou
ust also update t.e dscdb(conf file
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 18/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.orities
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 19/41
IBM S f G
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 20/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.orities + ,verview 8ContFd;
&ut.orities are ade up of -roups of privile-es and .i-.erKlevel
database ana-er 8instanceKlevel; aintenance and utilit) operations
+ SS&DM# SSCT@! and SSM&I$T are instance-level authorities
T.ese aut.orities can onl) be assi-ned to an 8operatin- s)ste;
-roup )ou can do so t.rou-. t.e DBM CG file
+ T.e DB&DM and !,&D aut.orities are assi-ned to a user or -roup
for a particular database
T.is can be done e"plicitl) usin- t.e G@&$T coand
IBM S ft G
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 21/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 &ut.orities
Cannotaccess data
"("A*/
"("')R0
"("/A+&)
*A*/
Authorities
PR+$+0E1E"
Ownership (Control)
Individual
Implicit
0!A*
Can accessdata
IBM S ft G
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 22/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
,btainin- Database &ut.orities
InstanceKlevel aut.orities
+ T.e aut.orities SS&DM# SSCT@!# and SSM&I$T areassociated wit. -roups and are specified at t.e instance level
• !P"#TE "$% C&' !S(N' SYS#"%_'R*!P -'R*!P1.
ever) user ID t.at is a eber of -roupH will .ave SS&DMaut.orit) on t.is instance
• !P"#TE "$% C&' !S(N' SYSCTR+_'R*!P -'R*!P2.
• !P"#TE "$% C&' !S(N' SYS%#(NT_'R*!P -'R*!P/.
IBM S ft G
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 23/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
,btainin- Database &ut.orities 8ContFd;
DB&DM &ut.orit)
+ T.e creator of a database will autoaticall) .ave DB&DM aut.orit)for t.e new database ,t.er users a) be -ranted t.e DB&DMaut.orit) b) a SS&DM user1
•'R#NT "$#"% *N "#T#$#SE T* !SER -!SER1. !,&D &ut.orit)
+ ,nl) users wit. eit.er SS&DM or DB&DM aut.orit) are peritted to-rant or revo3e !,&D aut.orit) to users or -roups
•'R#NT +*#" *N "#T#$#SE T* !SER -!SER1.
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 24/41
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 25/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Database &ut.orit) + 'indows Considerations
In a 'indows doain environent# a -roup list for t.e aut.enticated
user is enuerated at t.e ac.ine w.ere t.e aut.entication is done
T.e DB2AG@/A!,,9U/ re-istr) variable allows to specif) w.ere
t.e list of -roups a user belon-s to s.ould be enuerated1
+ !,C&!1 &t t.e DB2 server t.e list of -roups is enuerated usin-
t.e local S&M at t.e DB2 server
B) settin- t.is value# t.e database adinistrator does not need
to .ave t.e adinistrative aut.orit) for 'indows doains
+ D,M&I$1 DB2 will alwa)s enuerate -roups and validate useraccounts on t.e user accountFs 'indows doain
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 26/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
DB2 /rivile-es
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 27/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
&ut.orities &nd /rivile-es
SYSCTRL
SYSMAINT
+/P0+'+)%"'6E/A8*atabase9
)able space!wner
A00
A0)ER
*E0E)E
+&*E5
+&"ER)
RE3ERE&'E"
"E0E')
2P*A)E
'!&)R!08)ables9
"chema!wner
'REA)E)A8*atabase9
+&*A**8*atabase9
'!&&E')8*atabase9
'REA)E+&A0)ER+&*R!P+&
A00*E0E)E+&"ER)"E0E')2P*A)E
'!&)R!08$iews9
SYSADM
DBADM
( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
Authorities
Privileges
'!&)R!08+nde:es9
2"E
0!A*8*atabase9
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 28/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
@esources1 /rivile-es @e<uired
Table (T)View (V)
'REA)E)A 8)9'!&)R!0 !R "E0E') 8$9
'!&)R!0"E0E') 8)4$9+&"ER) 8)4$9*E0E)E 8)4$92P*A)E 8)4$9A0)ER 8)9+&*E5 8)9RE3ERE&'E" 8)9
RS!"RC
Database
NDD T! CRAT
"("A*/"("')R0
NDD T! C!NTR!L
*A*/
!T#R $RIVIL%S
'!&&E')+&*A**'REA)E)A&!3E&'E+/P0+'+)%"'6E/A
$ac&a'e
Ine
+&*A**
+&*E5
'!&)R!0
'!&)R!0
+&*
E5E'2)E
none Alias +f schema differs from
current authid# re;uires*A*/# "("A*/
'!&)R!0 none
Sche*as 'REA)E+&A0)ER+&*R!P+&
"("A*/*A*/+/P0+'+)%"'6E/A
"chema !wner
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 29/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant Coand + Table# =iew /rivile-es Support
#+TER
C*NTR*+
"E+ETE
(N"E0
(NSERT
RE&ERENCES
*N
1(T) 'R#NT *PT(*N
'R#NT #++
PR(V(+E'ES
2 column-name 3
2 column-name 3
4
4
4
4T#$+E
table-name
view-name
authorization-name
P!$+(C
T*
SE+ECT
!P"#TE
!SER
'R*!P
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 30/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant 7"plicit /rivile-es
Grantin- a privile-e wit. -rant option allows t.e aut.oriation ID to
e"tend t.e specified privile-e to ot.ers
+ T.is option is onl) available to pac3a-e# routine# sc.ea# table#
table space# and view
<.ou-. t.e -rant privile-e is e"tended# t.e revo3e privile-e is not( If
privile-es are received t.rou-. t.e wit. -rant option# a user will not be
able to revo3e t.e privile-es fro ot.ers
7"aple
+ T.is stateent allows john to perfor select# update# or deleteoperations on t.e table employee and to -rant an) of t.ese
privile-es to ot.ers1
db2 grant select4 update4 delete on table employee
to user john 5ith grant option
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 31/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
7"aple + Controllin- Use ,f Sc.eas
Sc.eas are naed collection of ob6ects
+ ors .i-.Korder part of ob6ects wit. a two part nae
User wit. DB&DM aut.orit) creates sc.ea /& for user M7!
+ CRE#TE SC)E%# P#Y #!T)*R(6#T(*N %E+
Mel can create ob6ects in sc.ea pa)
+ CRE#TE T#$+E P#Y7T1 C*+1 (NT3
Mel can -rant privile-es to ot.er users1
+ 'R#NT CRE#TE(N *N SC)E%# P#Y T* !SER C#+
+'R#NT #+TER(N4 CRE#TE(N4 "R*P(N *N SC)E%# P#Y T*
+ 'R*!P '1 (T) 'R#NT *PT(*N
&c.ievin- -reater sc.ea control1
+ REV*8E (%P+(C(T_SC)E%# *N "#T#$#SE &R*% P!$+(C
+ 'R#NT (%P+(C(T_SC)E%# *N "#T#$#SE T* !SER 9*N
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 32/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Individual IDs# Group IDs &nd /ublic
usr: melanie
staff: bill# ivo
Individual ID
ivo
bill
melanie
Group IDpublic1all users
SYST! C"T"#O$S
SSC&T(DB&UT
SSC&T(I$D7%&UT
SSC&T(/&C9&G7&UT
SSC&T(T&B&UT
SSC&T(C,!&UT
SSC&T(SC7M&U&T
*<
/UB!IC is a special DB2 -roup t.at
includes all users of a particular
database /UB!IC does not .ave to be
defined at t.e ,5S level
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 33/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Group &nd User Support
1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0 "70'!*E =>?@
"70
A
<
$er*itte( on Does the S+ste* ,now About-
N.A
%rou/ 0 cal "ser 0 cal
1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0
1RA&) "E0E') !& )A0E E/P0!(EE )! 2"ER 'A0
1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0
1RA&) "E0E') !& )A0E E/P0!(EE )! 1R!2P 'A0
0 or 0
0 or 0
%
2
*
B
5
!"4<or
.indows &)
2&+5 2ser = cal 1roup = cal
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 34/41
IBM Software Group
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Iplicit /rivile-es
CRE#TE "#T#$#SE
+ Internal G@&$T of DB&DM aut.orit) wit. C,$$7CT# C@7&T7T&B#
+ BI$D&DD# C@7&T7A$,TA7$C7D# !,&D and IM/!ICITASC7M& privile-es to creator8SS&DM or SSCT@!;
+ Internal G@&$T of BI$D&DD# C@7&T7T&B# C,$$7CT and IM/!ICITASC7M& to /UB!IC
+ BI$D and 7%7CUT7 privile-e on eac. successfull) bound utilit) to /UB!IC
+ S7!7CT on s)ste catalo- tables and views to /UB!IC
+ US7 privile-e on US7@S/&C7H table space to /UB!IC
'R#NT "$#"%
+ Internal G@&$T of BI$D&DD# C@7&T7T&B# C,$$7CT# C@7&T7A$,TA7$C7D# !,&Dand IM/!ICITASC7M&
Create ob6ect 8table# inde"# pac3a-e;
+ Internal G@&$T of C,$T@,! to ob6ect creator
Create view
+ Internal G@&$T to intersection of creator?s privile-es on base tables to view creator
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 35/41
p
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Indirect /rivile-es
/rivile-es can be obtained indirectl) w.en pac&a'es are e"ecuted b)
t.e database ana-er
+ & pac3a-e contains one or ore SN! stateents in an e"ecutable forat
+ If all t.e stateents in t.e pac3a-e are static# a user would onl) re<uire7%7CUT7 privile-e on t.e pac3a-e to successfull) e"ecute t.e stateents in
t.e pac3a-e
7"aple1 &ssue dpac&a'e% e"ecutes t.e followin- static SN!
stateents1
db2 select : from orgdb2 insert into test alues 14 24 /3
+ In t.is case# a user wit. 7%7CUT7 privile-e on dpac&a'e% would indirectl)
be -ranted S7!7CT privile-e on t.e table or- and I$S7@T privile-e on t.e
table test
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 36/41
p
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Nuer) /rivile-es Granted To Current ID
db2 ;SE+ECT : &R*% SYSC#T7T#$#!T) )ERE 'R#NTEE (N !SER4 <P!$+(C<3;db2 get authori=ations
O@oundin- up /rivile-esO
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 37/41
p
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant5@evo3e Scenarios H54
'R#NT "$#"% *N "#T#$#SE T* !SER S(1#"% 'et #uthori=ations
#dministratie #uthori=ations for Current !ser
"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? YES
"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? YES"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES
(ndirect SYS#"% authorit> ? N*(ndirect SYSCTR+ authorit> ? YES(ndirect SYS%#(NT authorit> ? N*(ndirect "$#"% authorit> ? N*(ndirect CRE#TET#$ authorit> ? N*(ndirect $(N"#"" authorit> ? N*(ndirect C*NNECT authorit> ? N*(ndirect CRE#TE_N*T_&ENC authorit> ? N*(ndirect (%P+(C(T_SC)E%# authorit> ? YES(ndirect +*#" authorit> ? N*
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 38/41
p
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant5@evo3e Scenarios 254
REV*8E "$#"% *N "#T#$#SE &R*% !SER S("#"% 'et #uthori=ations
#dministratie #uthori=ations for Current !ser
"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? N*
"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? YES"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES
(ndirect SYS#"% authorit> ? N*(ndirect SYSCTR+ authorit> ? YES(ndirect SYS%#(NT authorit> ? N*(ndirect "$#"% authorit> ? N*(ndirect CRE#TET#$ authorit> ? N*(ndirect $(N"#"" authorit> ? N*(ndirect C*NNECT authorit> ? N*(ndirect CRE#TE_N*T_&ENC authorit> ? N*(ndirect (%P+(C(T_SC)E%# authorit> ? YES(ndirect +*#" authorit> ? N*
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 39/41
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant5@evo3e Scenarios *54
REV*8E $(N"#"" *N "#T#$#SE &R*% !SER S("#"% 'et #uthori=ations
#dministratie #uthori=ations for Current !ser
"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? N*
"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? N*"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES
(ndirect SYS#"% authorit> ? N*(ndirect SYSCTR+ authorit> ? YES(ndirect SYS%#(NT authorit> ? N*(ndirect "$#"% authorit> ? N*(ndirect CRE#TET#$ authorit> ? N*(ndirect $(N"#"" authorit> ? N*(ndirect C*NNECT authorit> ? N*(ndirect CRE#TE_N*T_&ENC authorit> ? N*(ndirect (%P+(C(T_SC)E%# authorit> ? YES(ndirect +*#" authorit> ? N*
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 40/41
© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004
Grant5@evo3e Scenarios 454
'R#NT "$#"% *N "#T#$#SE T* !SER S(1#"% 'et #uthori=ations
#dministratie #uthori=ations for Current !ser
"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? YES
"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? YES"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES
(ndirect SYS#"% authorit> ? N*(ndirect SYSCTR+ authorit> ? YES(ndirect SYS%#(NT authorit> ? N*(ndirect "$#"% authorit> ? N*(ndirect CRE#TET#$ authorit> ? N*(ndirect $(N"#"" authorit> ? N*(ndirect C*NNECT authorit> ? N*(ndirect CRE#TE_N*T_&ENC authorit> ? N*(ndirect (%P+(C(T_SC)E%# authorit> ? YES(ndirect +*#" authorit> ? N*
IBM Software Group
8/9/2019 DB2 Introduction - 04 Database Security.ppt
http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 41/41
Nuer) '.o as '.ic. /rivile-es
Most of t.e inforation on aut.oriations is aintained in seven s)ste
catalo- tables1
+ SSC&T(DB&UT Database privile-es
+ SSC&T(C,!&UT Table and =iew Colun privile-es
+ SSC&T(I$D7%&UT Inde" privile-es
+ SSC&T(/&C9&G7&UT &ccess /ac3a-e privile-es
+ SSC&T(SC7M&&UT Sc.ea privile-es
+ SSC&T(T&B&UT Table and view privile-es
+ SSC&T(TBS/&C7&UT Table space privile-es
+ SS&DM# SSCT@! and SSM&I$T aut.orit) and -roup ebers.ip are
defined outside Database Mana-er and are t.erefore not reflected in s)ste
catalo-s