![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
Before you start
This tutorial will take you through a series of exercises to familiarize yourself with roles, a new feature in DB2 9.5. This tutorial is intended for DB2 technical specialists, database administrators, and programmers. You should have a good understanding of DB2 on Linux, UNIX, and Windows (hereafter called DB2 LUW). You should also be familiar with the DB2 command window and running DB2 scripts. Roles may also be created and managed using the new IBM Data Studio. However, they are not supported in the DB2 Control Center.
This tutorial will help familiarize you with concepts and features of roles in DB2 9.5. In these exercises, you will learn:
- The basic concepts for roles
- How to create and manage roles
- How to use various SQL queries and tools to analyze the usage of roles
To run the examples in this tutorial, you need:
- DB2 9.5 Express-C
- Microsoft Windows 2003, XP or Linux (Validated Environment)
- Java® Runtime Environment 1.4.2 or later
Also ensure that your hardware meets the requirements for DB2 9.5. (Refer to the DB2 9.5 system requirements page.)
DB2 9.5 Express C is available from the above link. DB2 9.5 is a full installation, not a fixpack upgrade. By default, DB2 will automatically start after installation unless you request it not to automatically start.
Use the sample scripts and data provided in the accompanying zip file (see Download section) to demonstrate the concepts in this tutorial. Extract the contents into a subdirectory called DB2Roles (C:\DB2Roles or home/userid/DB2Roles). This directory will be referred to simply as DB2Roles throughout the tutorial. This tutorial assumes that you have used the default directories for the DB2 installation. This tutorial requires the creation of a number of userids, and all the exercises will use the ids created.
A role is a database object to which one or more DB2 privileges, authorities, or other roles can be granted or revoked. A role does not have an owner and it can only be created or dropped by the security administrator (SECADM).
By associating a role with a user, the user inherits all the privileges held by the role, in addition to privileges already held by the user.
The key advantage of database roles is that they simplify the administration and management of privileges in a database. For instance:
- Security administrators can control access to their databases at a level of abstraction that is close to the structure of their organizations. For example, if the company has 12 branches and everyone within each branch has a set of identical privileges, then the SECADM would set 12 roles and then grant membership to users based on their location.
- Users are granted membership in the roles based on their job responsibilities. As the user's job responsibilities change, which may be frequent in a large organization, user membership in roles can be easily granted and revoked. For example, if a user moves from the New York branch to the Boston branch, then the SECADM simply revokes his access to the role for New York and grants access to the role for the Boston branch.
- The assignment of privileges is simplified. Instead of granting the same set of privileges to each individual user in a particular job function, the administrator can grant this set of privileges to a role representing that job function and then grant that role to the users in that job function. For example, individual jobs can often require many different privileges for a user. However, if the privileges are granted to a role, then it is simple to grant or revoke the privileges without having to maintain large scripts for each job. If the SECADM needs to alter the privileges for a role, he can alter it in one place without having to replicate to process for all users.
- Roles can be updated without updating the privileges for every user on an individual basis. For example, if the SECADM needs to alter the privileges for the branch in New York, she can alter the definition for the role without having to replicate the process for all users.
All DB2 privileges and authorities that can be granted within a database, with the exception of SECADM, can be granted to a role. By granting privileges and authorities to roles only, and making users members in roles, the administration and management of privileges in the database is greatly simplified.
Table of contents
Next steps from IBM
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular tutorial tags |
My tutorial tagsSkip to tags list
Popular tutorial tags |
My tutorial tags
