The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

System Administration Certification exam 919 for Informix 11.70 prep, Part 8: Security

Yunming Wang (yunming@us.ibm.com), Advanced Support Engineer, IBM

Yunming Wang works at IBM as an advanced support engineer on the Informix Advanced Problem Diagnostics (APD) team. He has been working at Informix and IBM since 1998, focusing on Informix and DB2 programming APIs and database connectivity. Areas of specialization include ODBC, JDBC, OLEDB/.Net, ESQL/C, and TCP/IP. Most recently, he has been involved with an IDS virtual appliance project that deals with virtualization and cloud computing technology. Before he joined Informix, he was a software developer. He received his Master degree in Computer Engineering from the University of Arkansas in 1995.

Tim Steele (tsteele@au1.ibm.com), Advanced Support Engineer, IBM

Tim Steele is an Advanced Support Engineer for IBM Informix and has been working with Informix since 2000. He is an IBM Certified System Administrator for Informix 11.70. He is part of the Australian Follow The Sun (FTS) Hub, which provides worldwide Informix technical support, primarily for critical down-system situations.

Summary: Data security is always a concern for database administrators. This tutorial helps you understand how to secure your data by preventing unauthorized viewing and altering of data or database objects, including how to use the secure-auditing facility of the database server to monitor database activities. This tutorial prepares you for Part 8 of the System Administration Certification exam 919 for Informix® v11.70.

View more content in this series

Date: 20 Jun 2012
Level: Intermediate
PDF: A4 and Letter (446 KB | 26 pages)Get Adobe® Reader®

Activity: 9787 views
Comments:

Using discretionary access control

Discretionary access control verifies a user's privileges to perform any particular operation.

Managing privileges

You can use following steps to define and grant privileges for a default role:

Select an existing role in the current database to use as a default role, or create the role that you want to use as a default role. Use the CREATE ROLE rolename statement to create a new role in the current database.
Use the GRANT statement to grant privileges to the role.
Grant the role to a user, and set the role as the default user or PUBLIC role by using the syntax GRANT DEFAULT ROLE rolename TO username or GRANT DEFAULT ROLE rolename TO PUBLIC.

Use the REVOKE DEFAULT ROLE statement to disassociate a default role from a user.

A user must use the SET ROLE DEFAULT statement to change any other current role to the default role.

Defining default roles

As an administrator, you can define a default role to assign to individual users or to the PUBLIC group for a particular database. The default role is automatically applied when a user establishes a connection with the database. Each user has whatever privileges you grant to the user individually and the privileges of the default role. A user can switch from the current individual role to the default role by using the SET ROLE DEFAULT statement. If different default roles are assigned to a user and to PUBLIC, the default role of the user takes precedence. If a default role is not assigned to a user, the user only has individually granted and public privileges.

Separating roles

Role separation enforces separating administrative tasks by people who run and audit the database server. If INF_ROLE_SEP is not set, then user informix can perform all administrative tasks. Set the INF_ROLE_SEP environment variable to a non-zero integer value to implement role separation.

Setting permission to create databases

Use the DBCREATE_PERMISSION configuration parameter to give specified users permission to create databases and thus prevent other users from creating databases. If you do not set the DBCREATE_PERMISSION configuration parameter, any user can create a database. The user informix always has permission to create databases. Complete the following steps to set permission to create databases.

Add DBCREATE_PERMISSION informix to the onconfig file to restrict the ability to create databases to the informix user.
Optionally include multiple instances of DBCREATE_PERMISSION in the onconfig file to give additional users permission to create databases. For example, to grant permission to users named watson and jay, add DBCREATE_PERMISSION watson, jay to the onconfig file: