Wire Listener Roles

The JSON security model is based on roles. To fulfill such a role, certain database privileges must be available to a user.

There are two sets of roles. One set is outside the wire listener from a system and Db2® database perspective. While the second set of roles is inside the wire listener and used to control request authorizations.

The system and Db2 database roles can be distinguished as follows:
  • JSON user administrator
    • Manages the registration file on the host, which contains a list of registered application users and MD5-hash-tokens.
    • Manages trusted context, if the wire listener is set to use trusted context.
    • Requires SYSCTRL or SYSADM authority to be set for the authorization ID.
    • This role might be filled by the Db2 Security Administrator, or by the JSON administrator.
  • JSON administrator
    • Enables the JSON features and can access the JSON metadata objects in the data store.
    • Requires SYSCTRL or SYSADM authority to be set for the authorization ID.
  • JSON collection manager
    • Creates collections and manages data
    • Requires authorizations for the CREATE TABLE, CREATE TRIGGER, and CREATE INDEX statements.
    • Requires authority to create new SQL schemas, if the JSON administrator has not created the schemas.
    • Receives document user role for a new collection automatically. Collections are created with default access rights for other Db2 database users accordingly.
  • JSON document user
    • Inserts, updates, and deletes JSON documents.
    • Requires that authorizations be explicitly assigned by the JSON collection manager.
    • Requires collection manager role, if implicit creation of documents is allowed.

If the authentication user ID of the wire listener proxy user runs the listener requests, the proxy user must have sufficient authorization to run all valid collection and document management requests.

Wire listener roles to control request authorizations

Four roles can be assigned:
  • Reader allows fetching and reading documents.
  • Writer allows inserting, updating, and deleting documents.
  • Manager enables managing collections and indexes.
  • User administrator to accept user management requests through the listener.