Identify the user accounts needed, group assignments, and access privieges for each
Create the users in the external security facility
Create database ROLES and assign privileges to each ROLE
Assign each user the appropriate ROLE
Since an external security facility (for example, the Operating System) is responsible for the administration and authentication of users and groups in DB2, you'll need to create any additional application users in the external security facility, and then assign them authorities and privileges within DB2 by using the GRANT and REVOKE statements. In addition, as part of the porting and development process, determine which internal development groups are involved in setting up access appropriately. For example, the testing group (in some cases) would not have the same privileges that the developers would. In many cases, during the development and porting phases, all members of the project will use a user account with super-user access, so that security issues don't hold up the development process. However, during the testing and QA phase, the appropriate application user accounts will need to be set up, so that application users are not granted more privileges or authorities than they need.
For more complete coverage of the DB2 security model, see the Database Security Guide manual. Another good resource is the IBM Press book entitled Understanding DB2 9 Security, which presents real-world implementation scenarios, step-by-step examples, and expert guidance on both the technical and human sides of DB2 security.
