Securing the database environment

You can enhance the operational security of your databases during the installation using either DB2®, Oracle, or Microsoft SQL Server. You can complete the installation without giving database users who are associated with the application server administrative privileges.

MONITOR database

When creating the MONITOR database, the monitor runtime database user is, by default, granted privileges to administer database objects, which simplifies the creation of the MONITOR database and enables the IBM® Business Monitor server to automatically manage the monitor model database schema at the time of model deployment and removal. However, you can secure your database by limiting administrator access to a single data source that is responsible for management of the monitor model database schema. Alternately, you can completely remove all administrative privileges for the MONITOR database users. Instead, a database administrator manually manages the monitor model database schema.

Using scripts, you can enhance security for DB2, Oracle or SQL Server by granting the MONITOR database user only the privileges that are required to access the MONITOR database objects. For more information about model-level database security considerations, see "Managing monitor model database schemas in a secured database" in the related concepts.

Four cell-level data sources are created while the IBM Business Monitor profile is being created. To allow the segmentation of an operational database user and an administrative database user, creating the MONITOR profile creates two authentication aliases: Monitor_JDBC_Alias and Monitor_Admin_JDBC_Alias. You can configure the data sources to use either authentication alias, depending on your database security requirements. The suggested authentication alias for each data source is indicated in the following table.

Data source name	JNDI name	Purpose	Suggested authentication alias
Monitor_Database	jdbc/wbm/MonitorDatabase	Operational data source for event processing; Rest services for dashboards, and other functions.	Monitor_JDBC_Alias
Monitor_`cellname`_Routing_Database	jdbc/wbm/`cellname`/MonitorDatabase	Operational data source for sending events to the MONITOR database, for example, table-based event distribution.	Monitor_JDBC_Alias
Monitor_ME_Database	Jdbc/wbm/MonitorMEDatabase	Operational data source for the IBM Business Monitor messaging engine. Administrative privileges are required only if the messaging engine creates a database schema upon initial startup.	Monitor_JDBC_Alias
Monitor_Admin_Database	jdbc/wbm/MonitorAdminDatabase	Data source for creating and deleting the monitor model database schema upon model deployment, undeployment, and data movement service enablement. Administrative privileges are required only if IBM Business Monitor manages the database schema.	Monitor_Admin_JDBC_Alias

COGNOSCS database

When you set up the Cognos content store, COGNOSCS, make sure the user account that accesses the content store has permission to perform the following actions:

Connect to the content store
Create, alter, and drop triggers, views, procedures, and sequences
Create and alter tables
Insert, update, and delete data in the database tables

The user ID and password information for the database is controlled by the Cognos_JDBC_Alias authentication alias, as described in "Changing the IBM Cognos BI content store password."