Configure User Role Mapping Settings
When you delegate authentication and authorization to a repository database in IBM® Db2® Data Management Console, role mapping rules for user accounts must be provided. The authorization information of a user account in a database, for example authorities, roles and privileges, is leveraged here to define the privileges of this user in the console. The user role mapping will be successful only if the user account has a certain authority, role or privilege in a database or belongs to a specified group in a database. The user account must also be granted an administrator or user role in the console.
IBM Db2 Data Management Console provides four different types of methods of user role mapping namely Db2 Authorities, Db2 Groups, Db2 UDF and Db2 Roles. For each role mapping method, you can define three specific rules in the console for three roles in console, admin role, DBA role and user role. Select one of the four types of method of rules to be configured.
Once a method is enabled, the value of rule which is used to define the console administrator role is required, and the values for other roles are optional
Only one type of role mapping method can be enabled at one time. If a user account is unable to obtain any role through role mapping, the user cannot log into the console.
Values for role mapping rules must be separated by '|' marks from each other without any leading or tailing white spaces.
| User Role Mapping Methods | Description | Example |
|---|---|---|
| Db2 Authorities | If a user account holds any of the specified authorities in a repository database, it will be assigned a corresponding console role. | DBADM|DATAACCESS|SECADM|SQLADM |
| Db2 Groups | If a user belongs to any of the specified groups in a repository database, it will be assigned a corresponding console role. | ADMINGROUP|GROUP1|GROUP2 |
| Db2 UDF | If a user account has the execute privilege on a specified UDF in the repository database,
it will be assigned a corresponding console role. In such cases, the UDFs that are created and
dedicated for authorization and their definitions should not include any parameters. The console creates three default UDFs namely, "<console_schema_name>.CANADMINISTER", "<console_schema_name>.CANDBA" and "<console_schema_name>.CANVIEW" for mapping to the console roles, admin role, DBA role and user role, while the repository database initiates the process. |
IBMCONSOLE.CANADMINISTER |
| Db2 Roles | If a user account holds any of the specified roles in a repository database, it will be assigned a corresponding console role. | ENTERPRISE_USER|SYSTS_USR |