Assigning users and groups administrative permission for database-based security

Database-based security takes the security settings of the host database and uses these settings to protect the shared repository.

Before you begin

Make sure you are operating on the RSBI objects.

About this task

To determine if a user has administrator authorization, QMF calls for the contents of RSBI.ADMIN_VIEW and runs the following SQL statement:

SELECT COUNT(*) FROM RSBI.ADMIN_VIEW WHERE AUTHID=:OWNER

Where OWNER is the user login. If this statement returns the value that is greater than zero, the user is the repository administrator.

The database-based security for shared repositories requires SYSADM authority on Db2® and DBA authority on Oracle. Without this authority users cannot administer the repository.

For Db2 databases you can populate the RSBI.AUTHID_TABLE with PRIMARY_IDs and SECONDARY_IDs pairs of users and groups, where the group does have SYSADM authority.

Results

The ADMIN_VIEW will have the list from SYSIBM.SYSUSERAUTH with the addition of the PRIMARY_IDs from the AUTHID_TABLE, whose SECONDARY_IDs are also in the list from SYSIBM.SYSUSERAUTH.

Example

The following examples illustrate the QMF authorization processes on different server types:

Db2 for z/OS®
CREATE VIEW "RSBI"."ADMIN_VIEW" (
"AUTHID")
AS
SELECT A."GRANTEE" AS "AUTHID"
FROM "SYSIBM"."SYSUSERAUTH" A
WHERE A."SYSADMAUTH" IN ('G', 'Y')
UNION
SELECT A."PRIMARY_ID" AS "AUTHID"
FROM "RSBI"."AUTHID_TABLE" A
INNER JOIN
"SYSIBM"."SYSUSERAUTH" B ON
B."GRANTEE" = A."SECONDARY_ID"
DB2 for iSeries
CREATE VIEW "RSBI"."ADMIN_VIEW" (
"AUTHID")
AS
SELECT "AUTHID"
FROM "RSBI"."ADMIN_TABLE"
Db2 LUW
CREATE VIEW "RSBI"."ADMIN_VIEW" (
"AUTHID")
AS
SELECT A."GRANTEE" AS "AUTHID"
FROM "SYSIBM"."SYSDBAUTH" A
WHERE A."DBADMAUTH" = 'Y'
UNION
SELECT A."PRIMARY_ID" AS "AUTHID"
FROM "RSBI"."AUTHID_TABLE" A
INNER JOIN
"SYSIBM"."SYSDBAUTH" B ON
B."GRANTEE" = A."SECONDARY_ID"
DB2 for z/VM®
CREATE VIEW "RSBI"."ADMIN_VIEW" (
"AUTHID")
AS
SELECT A."NAME" AS "AUTHID"
FROM "SQLDBA"."SYSUSERLIST" A
WHERE A."AUTHOR" = ''
AND A."DBAAUTH" = 'Y'
UNION
SELECT A."PRIMARY_ID" AS "AUTHID"
FROM "RSBI"."AUTHID_TABLE" A
INNER JOIN
"SQLDBA"."SYSUSERLIST" B ON
B."NAME" = A."SECONDARY_ID"
Oracle
CREATE VIEW "RSBI"."ADMIN_VIEW" (
"AUTHID")
AS
SELECT A."GRANTEE" AS "AUTHID"
FROM "SYS"."DBA_ROLE_PRIVS" A
WHERE A."GRANTED_ROLE" = 'DBA'