Two types of authorization security are available for Db2® Big SQL: native Db2 Big SQL authorization, and authorization that uses Db2 Big SQL integration with Ranger.

Using Ranger, a security administrator can create policies to grant access to tables and views in a Big SQL database. These Ranger policies grant and restrict access in a manner that is similar to native Db2 Big SQL table and view privileges. Depending on user preference, either security model can be used to control access to tables and views. If you are familiar with the native security model in Db2 Big SQL, you can continue to use it. If you are using Apache Ranger to secure other Hadoop services, you can also manage access to Db2 Big SQL tables and views through the same interface. When Db2 Big SQL integration with Ranger is enabled, it takes over the management of table and view privileges from the native Db2 Big SQL engine.

The following table highlights some of the main differences between native Db2 Big SQL authorization and authorization that uses Ranger.

Table 1. Comparison of Db2 Big SQL native and Ranger authorizations
Authorization model SQL-based Apache Ranger
Auditing Yes Yes
Access-based policies Yes Yes
Deny policies No Yes
Table- and view-level policies Yes Yes
Schema-level policies Yes1 Yes
Access granted to users, groups, or roles Any Users and groups, as well as roles that are managed through Ranger
Database authorities Yes No
Fine-grained access control (column masks and row permissions) Yes No
Policies on database objects other than tables and views Yes No
Centralized UI for policy management No Yes
  1. Currently limited to CREATE, DROP, and ALTER.

For information about using impersonation, by which a service can securely access Hadoop data on behalf of another user, see Impersonation in Db2 Big SQL.