Restricting operating system privileges of the db2fmp process (Windows)

On Windows operating systems, if Extended Security is enabled, you can restrict privileges of the db2fmp process to the privileges assigned to the DB2USERS group.

About this task


Restrictions

On version 10.5 FP3 and earlier fix packs, the option to restrict privileges is not available if LocalSystem is selected as the service account.

Procedure

On Windows operating systems, if you have Extended Security enabled, to restrict the db2fmp process to the privileges assigned to the DB2USERS group:
  1. Run the db2set command and set DB2_LIMIT_FENCED_GROUP to ON. By default, this registry variable is set to OFF.
    db2set DB2_LIMIT_FENCED_GROUP = ON 
  2. Add the Db2® service account into the DB2USERS group.
  3. On version 10.5 FP3a and later fix packs, run the SC command:
    SC sidtype DB2-service-name unrestricted
    where DB2-service-name is the Db2 service name. By default the Db2 service name is set to DB2 or, in a Db2 partitioned database environment the default is set to DB2-0.
    For example:
    SC sidtype DB2 unrestricted
  4. Optional. You can grant additional operating system privileges to the db2fmp process by following these steps:
    1. Create a new user group, or choose an existing user group (for example, db2FencedGroup).
    2. Add the Db2 service account into the group.

Results

In additional to the privilege of DB2USERS group, the db2fmp process has the operating system privilege of the chosen user group chosen.