DB2 data access control

Start of change Access to data can originate from users through interactive terminal sessions, local or remote stored procedures, utilities, or IMS™ or CICS® transactions. It can also originate from application programs that run in batch mode, remote applications that use DDF or CLI and JDBC drivers, or web-based applications supported by WebSphere® Application Servers. End of change

Given the variety of access originators, the term process is used to represent all access to data. For example, within a DB2® subsystem, a process can be a primary authorization ID, one or more secondary IDs, a role, or an SQL ID.

A process can gain access to DB2 data through several routines. As shown in the following diagram, DB2 provides different ways for you to control access from all but the data set protection route.

Begin figure description. DB2 data access control. End figure description — Figure 1. DB2 data access control

One of the ways that DB2 controls access to data is by using authorization IDs or roles. DB2 relies on IDs or roles to determine whether to allow or prohibit certain processes. DB2 assigns privileges and authorities to IDs or roles so that the owning users can take actions on objects. In this sense, it is an ID or a role, not a user, that owns an object. In other words, DB2 does not base access control on a specific user or person who need access. For example, if you allow other users to use your IDs, DB2 recognizes only the IDs, not the people or programs that use them.

ID-based access control within DB2
DB2 provides a wide range of granularity when you grant privileges to an ID within DB2. You can grant privileges and authorities to groups, secondary IDs, or to roles.
Role-based access control within DB2
A privilege enables the user of an ID to execute certain SQL statements or to access the objects of another user. A role groups the privileges together so that they can be simultaneously granted to and revoked from multiple users.
Ownership-based access control within DB2
Object ownership carries with it a set of related privileges on the object. DB2 provides separate controls for creation and ownership of objects.
Access control through multilevel security
Multilevel security, also known as label-based access control, allows you to classify objects and users with security labels. The security labels are based on hierarchical security levels and non-hierarchical security categories.
Access control external to DB2
You can control access to DB2 by using a DB2-supplied exit routine or an exit routine that you write.

Parent topic: DB2 security solutions

Related concepts:

DB2 subsystem access control