Authentication with groups and domain security (Windows)
The Db2® database system allows you to specify either a local group or a global group when granting privileges or defining authority levels.
About this task
- Local groups
- Global groups
- Global groups as members of local groups. The Db2 database manager enumerates the local and global groups of which the user is a member, using the security database where the user was found. The Db2 database system provides an override that forces group enumeration to occur on the local Windows server where the Db2 database is installed, regardless of where the user account was found. This override can be achieved using the following commands:
- For global settings:
db2set -g DB2_GRP_LOOKUP=local - For instance settings:
After issuing this command, you must stop and start the Db2 database instance for the change to take effect. Then create local groups and include domain accounts or global groups in the local group.db2set -i instance_name DB2_GRP_LOOKUP=local
db2set -all - For global settings:
If the DB2_GRP_LOOKUP profile registry variable is set to local, then the Db2 database manager tries to enumerate the user's groups on the local machine only. If the user is not defined as a member of a local group, or of a global group nested in a local group, then group enumeration fails. The Db2 database manager does not try to enumerate the user's groups on another machine in the domain or on the domain controllers.
If the Db2 database manager is running on a machine that is a primary or backup domain controller in the resource domain, it is able to locate any domain controller in any trusted domain. This occurs because the names of the domains of backup domain controllers in trusted domains are only known if you are a domain controller.