Managing access through authorization IDs and roles

Db2 controls access to its objects and data through authorization identifiers (IDs) and roles and the privileges that are assigned to them. Each privilege and its associated authorities enable you to take specific actions on an object. Therefore, you can manage access to Db2 objects through authorization IDs and roles.

As the following diagram shows, you can grant privileges and authorities to IDs or roles and control access to data and processes in several primary ways:

Figure 1. Access to objects and data within Db2
Begin figure description. Access to objects and data within DB2. End figure description.
  1. Managing access to Db2 through RACF® and subsystem access authorization.
  2. Managing access to Db2 subsystem through connection and sign-on routines or trusted contexts.
  3. Granting and revoking explicit privileges through authorization IDs and roles or through external access control.

    Db2 has primary authorization IDs, secondary authorization IDs, roles, and SQL IDs. Some privileges can be exercised by only one type of ID or a role; other privileges can be exercised by multiple IDs or roles. The Db2 catalog records the privileges that IDs are granted and the objects that IDs own.

  4. Managing implicit privileges through ownership of objects other than plans and packages.
  5. Managing implicit privileges through ownership of plans and packages.
  6. Controlling access through security labels on tables.
  7. Activating and deactivating row and column access control on tables.

Certain privileges and authorities are assigned when you install Db2. You can reassign these authorities by changing the DSNZPARM subsystem parameter.

As a security planner, you must be aware of these ways to manage privileges and authorities through authorization IDs and roles before you write a security plan. After you decide how to authorize access to data, you can implement it through your security plan.