Restricting operating system privileges of the db2fmp process (Windows)
On Windows operating systems, if Extended Security is enabled, you can restrict privileges of the db2fmp process to the privileges assigned to the DB2USERS group.
About this task
Restrictions
On version 10.5 FP3 and earlier fix packs, the option to restrict privileges is not available if LocalSystem is selected as the service account.
Procedure
On Windows operating
systems, if you have Extended Security enabled, to restrict the db2fmp process
to the privileges assigned to the DB2USERS group:
- Run the db2set command and set DB2_LIMIT_FENCED_GROUP to ON.
By default, this registry variable is set to OFF.
db2set DB2_LIMIT_FENCED_GROUP = ON
- Add the Db2® service account into the DB2USERS group.
- On version 10.5
FP3a and later fix packs, run the SC
command:
where DB2-service-name is the Db2 service name. By default the Db2 service name is set to DB2 or, in a Db2 partitioned database environment the default is set to DB2-0.SC sidtype DB2-service-name unrestricted
For example:SC sidtype DB2 unrestricted
- Optional. You can grant additional operating system privileges
to the db2fmp process by following these steps:
- Create a new user group, or choose an existing user group (for example, db2FencedGroup).
- Add the Db2 service account into the group.
Results
In additional to the privilege of DB2USERS group, the db2fmp process has the operating system privilege of the chosen user group chosen.