Grant management
The grant management function provided on the Grant Management Menu (ADB2ZGM) panel allows you to manage privileges across groups of objects, such as those associated with a particular application.
Grant management objects
Grant management uses the following objects to manage privileges:
- Groups
- A grant management group is a named entity to which you
associate different objects and privileges.
Group names are not case sensitive.
- Group objects
- A group object is a Db2 object for
which you want to manage privileges within a particular group. You can
add multiple objects to a single group.
Group object names are case sensitive. so that names are enclosed in double quotes.
Tip: For object names that are mixed case, specify CAPS OFF. (See CAPS.) By default, CAPS = ON for the Object name and Object qualifier fields.- Generic objects
- A generic object is an object that is defined with wildcard characters in the name or qualifier. It includes all objects that satisfy the name specification. For example, a generic table object with the name PRODABC.APP1% includes any table whose name begins with PRODABC.APP1. If you create a generic object, you must expand the group to include all qualifying objects before pending privileges are generated.
- Privileges
- A privilege is a user-defined privilege or set of
privileges on a particular type of object. These privileges are used as
the basis for defining group privileges.
Privilege names are not case sensitive.
- Group privileges
- A group privilege is a privilege that is assigned to a
particular AUTHID or role for a group and its objects. You can
optionally limit the group privilege to a particular time period.
For example, you might define a privilege for SELECT and UNLOAD on tables and name this privilege READTAB. You can then add the READTAB privilege to a specific group and AUTHID. This specific instance of the READTAB privilege is called a group privilege.
Use group privileges to manage which users have certain privileges for group objects. For example, if you want to give a new user authority to query your group objects, you can add a new group privilege for that user.
Group privileges do not have names.
- SSIDs
- An SSID, or subsystem ID, identifies a subsystem for the
group and where to perform any GRANT and REVOKE operations. Your local
SSID is already defined for you.
SSIDs are case sensitive.
- Pending privileges
- A pending privilege is a group privilege that has been
defined but has not yet been implemented, meaning that it has not been
applied to the Db2 catalog.
Pending privileges are generated by Db2 Admin Tool after you
create a group privilege if the relevant group objects exist.
Pending privileges do not have names.
For detailed information about the generation of pending privileges, see When pending privileges are generated in grant management.
The following figure illustrates the relationships between these grant management objects. You define the privileges and groups and optionally any SSIDs. You then specify group privileges and the objects that you want included in each group. You can optionally include objects on a remote subsystem by specifying a remote SSID. Each group privilege is based on a privilege for a particular AUTHID and group. (The AUTHID is the user; it can also be a user group or Db2 role.) Finally, Db2 Admin Tool generates the pending privileges based on the defined group privileges, objects, and optionally any SSIDs.
Grant management tables
Table name | Information contained in the table |
---|---|
ADBGMG | Groups |
ADBGMGO | Group objects |
ADBGMPR | Privileges |
ADBGMGP | Group privileges |
ADBGMSID | SSIDs |
ADBGMPP | Pending privileges |
These tables are stored in the GM hub that was specified the Product Parameters (CCQPPRD) panel in TCz and can be accessed by multiple subsystems.
GM hub
A grant management (GM) hub is a place (a subsystem) where you administer grant management for one or more data sharing groups or stand-alone subsystems. A GM hub stores the information for these subsystems in the GM database on the hub. The GM hub uses DRDA connections to administer the security on remote systems. One of the advantages of a GM hub is that you do not need to log on to the subsystem that you need to administer.
- DRDA connections do not exist between your various systems, such as production, test, and development. In this case, create one GM hub for production, one for test, and one for development.
- The subsystems are on different LPARs. In this case, you can create one GM hub per LPAR.
- The SSIDs are not unique. In this case, create additional GM hubs as needed to ensure that each hub will not be accessed by subsystems with the same SSID.
- To create one GM hub, set the Grant Management database field on the Product Parameters (CCQPPRD) panel to NO and the Grant Management (GM) database field on the DB2 Parameters (CCQPDB2) panel to YES.
- To create multiple GM hubs, set the Grant Management database field on the Product Parameters (CCQPPRD) panel to YES and leave the Grant Management (GM) database field on the DB2 Parameters (CCQPDB2) panel blank.
Grant management operations
Grant management uses the ADBTEP2 program to manage operations on grant management objects, such as adding or deleting privileges and implementing pending privileges. Every time you perform some grant management operation, an ADBTEP2 job will be generated. These ADBTEP2 jobs contain ADMIN GM statements that perform the requested operation. Submit the ADBTEP2 job to complete the operation.
ADMIN GM statements
To run grant management operations, Db2 Admin Tool generates ADMIN GM (Grant Management) statements in ADBTEP2 jobs. These ADMIN GM statements perform operations on groups, objects, privileges, group privileges, pending privileges, and SSIDs.
The grant management function uses the following ADMIN GM statements:
- ADMIN GM ADD GROUP statement
- ADMIN GM DELETE GROUP statement
- ADMIN GM UPDATE GROUP statement
- ADMIN GM EXPAND GROUP statement
- ADMIN GM ADD PRIVILEGE statement
- ADMIN GM DELETE PRIVILEGE statement
- ADMIN GM UPDATE PRIVILEGE statement
- ADMIN GM ADD SSID statement
- ADMIN GM DELETE SSID statement
- ADMIN GM ADD group object statement
- ADMIN GM DELETE group object statement
- ADMIN GM UPDATE group object statement
- ADMIN GM ADD GROUP PRIVILEGE statement
- ADMIN GM DELETE GROUP PRIVILEGE statement
- ADMIN GM UPDATE GROUP PRIVILEGE statement
- ADMIN GM RUN PENDING PRIVILEGES statement
- ADMIN GM CLEANUP PENDING PRIVILEGES statement
- ADMIN GM DELETE PENDING PRIVILEGES statement
Grant management as a REST service
Grant management is also available as a REST service. The name of the provided REST API and associated stored procedure is ADBGMSP. See Provided REST APIs and ADBGMSP stored procedure.