Authorization
Two types of authorization security are available for Db2® Big SQL: native Db2 Big SQL authorization, and authorization that uses Db2 Big SQL integration with Ranger.
Using Ranger, a security administrator can create policies to grant access to tables and views in a Big SQL database. These Ranger policies grant and restrict access in a manner that is similar to native Db2 Big SQL table and view privileges. Depending on user preference, either security model can be used to control access to tables and views. If you are familiar with the native security model in Db2 Big SQL, you can continue to use it. If you are using Apache Ranger to secure other Hadoop services, you can also manage access to Db2 Big SQL tables and views through the same interface. When Db2 Big SQL integration with Ranger is enabled, it takes over the management of table and view privileges from the native Db2 Big SQL engine.
The following table highlights some of the main differences between native Db2 Big SQL authorization and authorization that uses Ranger.
| Authorization model | SQL-based | Apache Ranger |
|---|---|---|
| Auditing | Yes | Yes |
| Access-based policies | Yes | Yes |
| Deny policies | No | Yes |
| Table- and view-level policies | Yes | Yes |
| Schema-level policies | Yes1 | Yes |
| Access granted to users, groups, or roles | Any | Users and groups, as well as roles that are managed through Ranger |
| Database authorities | Yes | No |
| Fine-grained access control (column masks and row permissions) | Yes | No |
| Policies on database objects other than tables and views | Yes | No |
| Centralized UI for policy management | No | Yes |
|
||
For information about using impersonation, by which a service can securely access Hadoop data on behalf of another user, see Impersonation in Db2 Big SQL.