Ways to control access to data
Db2 enables you to control data access. Access to data includes a user who is engaged in an interactive terminal session. For example, access can be from a remote server, from an IMS or a CICS® transaction, or from a program that runs in batch mode.
This information discusses different methods of data access control in Db2. In this information, the term process is used to represent all forms of access to data.
The following figure suggests several routes from a process to Db2 data, with controls on every route.
The first method, access control within Db2, uses identifiers (IDs) to control access to Db2 objects. The process must first satisfy the security requirements to access the Db2 subsystem. When the process is within the Db2 subsystem, Db2 checks various IDs to determine whether the process can access Db2 objects. These IDs (primary authorization ID, secondary authorization ID, and SQL ID) are described. If the process has the necessary ID or IDs, it can access Db2 objects, including Db2 data.
The second method, data set protection, is not controlled within Db2. The process goes through data set protection outside of Db2. If the process satisfies the protection criteria, it reaches the Db2 data.