Revoking data access authority from the Admin role in Data Virtualization

You can remove the Db2 DATAACCESS authorization from the Admin role to limit the access that upgraded Admin users have to database tables.

Before you begin

Who needs to complete this task?
Instance administratorTo complete this task, you must be an instance administrator.

About this task

As of IBM® Software Hub version 4.8.0, the Data Virtualization Admin role no longer holds DATAACCESS Db2 authority. To maintain backwards compatibility, when you upgrade from a version older than 4.8.0, the DATAACCESS authority is not automatically revoked from the Data Virtualization Admin role. You can remove the Db2 DATAACCESS authorization from the Data Virtualization Admin role to limit the access that upgraded Admin users have to database tables.

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as an instance administrator: 
    oc login ${OCP_URL}
  2. Go to the Data Virtualization head pod: 
    oc project ${SERVICE_INSTANCE_NAMESPACE}
oc rsh c-db2u-dv-db2u-0 bash
  3. Connect to the database as the Data Virtualization instance owner: 
    su - db2inst1
db2 connect to bigsql
  4. Run the following statement to revoke DATAACCESS Db2 authority from the Admin role: 
    db2 "REVOKE DATAACCESS ON DATABASE FROM ROLE DV_ADMIN"
  5. Give the Admin role the necessary authorizations for administering the service: 
    db2 "GRANT DBADM ON DATABASE TO ROLE DV_ADMIN"
db2 "GRANT INSERT, UPDATE, DELETE ON DVSYS.INSTANCE_INFO TO ROLE DV_ADMIN"
    Tip:

    If the Data Virtualization Admin does not have access to the pods, a user with the Data Virtualization Admin role can run Db2 SQL statements in steps 4 and 5 by using the Run SQL editor in the Data Virtualization UI.