Start of change

Grant management

The grant management function provided on the Grant Management Menu (ADB2ZGM) panel allows you to manage privileges across groups of objects, such as those associated with a particular application.

Start of change

Grant management objects

Grant management uses the following objects to manage privileges:

Groups
A grant management group is a named entity to which you associate different objects and privileges.

Group names are not case sensitive.

Group objects
A group object is a Db2 object for which you want to manage privileges within a particular group. You can add multiple objects to a single group.

Group object names are case sensitive. so that names are enclosed in double quotes.

Tip: For object names that are mixed case, specify CAPS OFF. (See CAPS.) By default, CAPS = ON for the Object name and Object qualifier fields.
Generic objects
A generic object is an object that is defined with wildcard characters in the name or qualifier. It includes all objects that satisfy the name specification. For example, a generic table object with the name PRODABC.APP1% includes any table whose name begins with PRODABC.APP1. If you create a generic object, you must expand the group to include all qualifying objects before pending privileges are generated.
Privileges
A privilege is a user-defined privilege or set of privileges on a particular type of object. These privileges are used as the basis for defining group privileges.

Privilege names are not case sensitive.

Group privileges
A group privilege is a privilege that is assigned to a particular AUTHID or role for a group and its objects. You can optionally limit the group privilege to a particular time period.

For example, you might define a privilege for SELECT and UNLOAD on tables and name this privilege READTAB. You can then add the READTAB privilege to a specific group and AUTHID. This specific instance of the READTAB privilege is called a group privilege.

Use group privileges to manage which users have certain privileges for group objects. For example, if you want to give a new user authority to query your group objects, you can add a new group privilege for that user.

Group privileges do not have names.

SSIDs
An SSID, or subsystem ID, identifies a subsystem for the group and where to perform any GRANT and REVOKE operations. Your local SSID is already defined for you.

SSIDs are case sensitive.

Pending privileges
A pending privilege is a group privilege that has been defined but has not yet been implemented, meaning that it has not been applied to the Db2 catalog. Pending privileges are generated by Db2 Admin Tool after you create a group privilege if the relevant group objects exist.

Pending privileges do not have names.

For detailed information about the generation of pending privileges, see When pending privileges are generated in grant management.

The following figure illustrates the relationships between these grant management objects. You define the privileges and groups and optionally any SSIDs. You then specify group privileges and the objects that you want included in each group. You can optionally include objects on a remote subsystem by specifying a remote SSID. Each group privilege is based on a privilege for a particular AUTHID and group. (The AUTHID is the user; it can also be a user group or Db2 role.) Finally, Db2 Admin Tool generates the pending privileges based on the defined group privileges, objects, and optionally any SSIDs.

Figure 1. Grant management objects
This figure contains blocks and lines to show the relationship between grant mangement oblects. These relationships are described in the preceding text.
Tip: Although a group typically corresponds to an application, consider that privileges are implemented (the GRANT and REVOKE statements are run) at the group level. Therefore, if you do not want to implement all of the defined group privileges at same time, consider defining your groups with more granularity.
End of change
Start of change

Grant management tables

Db2 Admin Tool stores information about grant management objects in the following tables:
Table 1. Grant management tables
Table name Information contained in the table
ADBGMG Groups
ADBGMGO Group objects
ADBGMPR Privileges
ADBGMGP Group privileges
ADBGMSID SSIDs
ADBGMPP Pending privileges

These tables are stored in the GM hub that was specified the Product Parameters (CCQPPRD) panel in TCz and can be accessed by multiple subsystems.

End of change

GM hub

A grant management (GM) hub is a place (a subsystem) where you administer grant management for one or more data sharing groups or stand-alone subsystems. A GM hub stores the information for these subsystems in the GM database on the hub. The GM hub uses DRDA connections to administer the security on remote systems. One of the advantages of a GM hub is that you do not need to log on to the subsystem that you need to administer.

You might need to create more than one GM hub in certain situations where DRDA connectivity is not possible, such as the following scenarios:
  • DRDA connections do not exist between your various systems, such as production, test, and development. In this case, create one GM hub for production, one for test, and one for development.
  • The subsystems are on different LPARs. In this case, you can create one GM hub per LPAR.
  • The SSIDs are not unique. In this case, create additional GM hubs as needed to ensure that each hub will not be accessed by subsystems with the same SSID.
This GM hub is created during the customization (or recustomization) of Db2 Admin Tool in TCz:
  • To create one GM hub, set the Grant Management database field on the Product Parameters (CCQPPRD) panel to NO and the Grant Management (GM) database field on the DB2 Parameters (CCQPDB2) panel to YES.
  • To create multiple GM hubs, set the Grant Management database field on the Product Parameters (CCQPPRD) panel to YES and leave the Grant Management (GM) database field on the DB2 Parameters (CCQPDB2) panel blank.
Important: Be cautious if you create more than one GM hub for subsystems that are connected. If you create a grant management group that includes SSIDs with different GM hubs, the results are unpredictable.
Start of change

Grant management operations

Grant management uses the ADBTEP2 program to manage operations on grant management objects, such as adding or deleting privileges and implementing pending privileges. Every time you perform some grant management operation, an ADBTEP2 job will be generated. These ADBTEP2 jobs contain ADMIN GM statements that perform the requested operation. Submit the ADBTEP2 job to complete the operation.

Important: Do not manually update the grant management tables, as these updates might cause unexpected behavior. Instead, use the grant management panels to generate the necessary ADBTEP2 jobs for updating these tables.
End of change
Start of change

ADMIN GM statements

End of change
Start of change

Grant management as a REST service

Grant management is also available as a REST service. The name of the provided REST API and associated stored procedure is ADBGMSP. See Provided REST APIs and ADBGMSP stored procedure.

End of change
End of change