Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

DB2 9 Fundamentals exam 730 prep, Part 2: Security

Graham G. Milne (gmilne@ca.ibm.com), I/T Specialist DB2 UDB, IBM Canada
Graham Milne, HBSc. - Computer Science, is a DB2 Certified Advance Technical Expert and has been working with DB2 since 1998. Currently Graham is a Premium Support Manager for DB2 supporting large premium customers. Previous to this, he was the senior advanced service consultant for DB2 support based out of the IBM Toronto Software Lab.

Summary:  This tutorial introduces the concepts of authentication, authorization, and privileges as they relate to DB2® 9. It is the second in a series of seven tutorials designed to help you prepare for the DB2 9 Fundamentals Certification Exam (730). You should have basic knowledge of database concepts and operating system security. This is the second in a series of seven tutorials to help you prepare for the DB2 9 for Linux®, UNIX®, and Windows® Fundamentals exam 730.

View more content in this series

Date:  20 Jul 2006
Level:  Intermediate PDF:  A4 and Letter (505 KB | 32 pages)Get Adobe® Reader®

Comments:  

DB2 security

Aspects of database security

Database security is of utmost importance today. Your database might allow customers to purchase products over the Internet, or it can contain historical data used to predict business trends; either way, your company needs a sound database security plan.

A database security plan should define:

  • Who is allowed access to the instance and/or database
  • Where and how a user's password will be verified
  • Authority level that a user is granted
  • Commands that a user is allowed to run
  • Data that a user is allowed to read and/or alter
  • Database objects a user is allowed to create, alter, and/or drop

DB2 security mechanisms

There are three main mechanisms within DB2 that allow a DBA to implement a database security plan: authentication, authorization, and privileges.

Authentication is the first security feature you'll encounter when you attempt to access a DB2 instance or database. DB2 authentication works closely with the security features of the underlying operating system to verify user IDs and passwords. DB2 can also work with security protocols like Kerberos to authenticate users.

Authorization involves determining the operations that users and/or groups can perform, and the data objects that they may access. A user's ability to perform high-level database and instance management operations is determined by the authorities that they have been assigned. The five different authority levels within DB2 are SYSADM, SYSCTRL, SYSMAINT, DBADM, and LOAD.

Privileges are a bit more granular than authorities, and can be assigned to users and/or groups. Privileges help define the objects that a user can create or drop. They also define the commands that a user can use to access objects like tables, views, indexes, and packages. New to DB2 9 is the concept of label-based access control (LBAC), which allows more granular control of who can access individual rows and/or columns.

To prepare for the next section of the tutorial, you will need to create a database within the DB2 instance. Make sure that the %DB2INSTANCE% variable is still set to DB2, and then create the sample database using the command db2sampl drive , using the name of the drive where you want to create the sample. For the examples in this tutorial, you'll create the sample database on your D: drive, as follows:

D:\SQLLIB\BIN> db2sampl d:


Clients, servers, gateways, and hosts

It is particularly important that you understand the terms client, server, gateway, and host when considering the security of the entire database environment. A database environment often consists of several different machines; you must safeguard the database at any potential data access point. The concepts of clients, servers, gateways, and hosts are particularly important when dealing with DB2 authentication.

The diagram below illustrates a basic client-server-host configuration.


Figure 1. Basic client-server-host configuration
Basic client-server-host configuration

The database server is the machine (or machines in a partitioned database system) on which the database physically resides. The DB2 database clients are machines that are configured to run queries against the database on the server. These clients can be local (reside on the same physical machine as the database server) or they can be remote (reside on separate machines).

If the database resides on a mainframe machine running an operating system like AS/400® (iSeries®) or OS/390® (zSeries®), it's called a host or host server. A gateway is a machine running the DB2 Connect product. Through the gateway, DB2 client machines can connect to a DB2 database that resides on a host machine. The gateway is also referred to as the DB2 Connect Server. Systems with the Enterprise Server Edition product installed also have the DB2 Connect functionality built in.

2 of 8 | Previous | Next

Comments



Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Information Management
ArticleID=147859
TutorialTitle=DB2 9 Fundamentals exam 730 prep, Part 2: Security
publish-date=07202006
author1-email=gmilne@ca.ibm.com
author1-email-cc=

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).