Managing access through authorization IDs and roles

DB2® controls access to its objects and data through authorization identifiers (IDs) and roles and the privileges that are assigned to them. Each privilege and its associated authorities enable you to take specific actions on an object. Therefore, you can manage access to DB2 objects through authorization IDs and roles.

As the following diagram shows, you can grant privileges and authorities to IDs or roles and control access to data and processes in several primary ways:

Begin figure description. Access to objects and data within DB2. End figure description. — Figure 1. Access to objects and data within DB2

Managing access to DB2 through RACF® and subsystem access authorization.
Managing access to DB2 subsystem through connection and sign-on routines or trusted contexts.
Granting and revoking explicit privileges through authorization IDs and rolesor through external access control.
DB2 has primary authorization IDs, secondary authorization IDs, roles, and SQL IDs. Some privileges can be exercised by only one type of ID or a role; other privileges can be exercised by multiple IDs or roles. The DB2 catalog records the privileges that IDs are granted and the objects that IDs own.
Managing implicit privileges through ownership of objects other than plans and packages.
Managing implicit privileges through ownership of plans and packages.
Controlling access through security labels on tables.
Activating and deactivating row and column access control on tables.

Certain privileges and authorities are assigned when you install DB2. You can reassign these authorities by changing the DSNZPARM subsystem parameter.

As a security planner, you must be aware of these ways to manage privileges and authorities through authorization IDs and roles before you write a security plan. After you decide how to authorize access to data, you can implement it through your security plan.

Authorization IDs and roles
You can control access to DB2 objects by assigning privileges and authorities to an authorization ID or a role.
Privileges and authorities
You can control access within DB2 by granting or revoking privileges and related authorities that you assign to authorization IDs or roles. A privilege enables its holder to perform a specific operation, sometimes on a specific object.
Managing administrative authorities
DB2 provides a range of auditable administrative authorities that help you control access to sensitive business data. The granularity and flexibility in DB2 administrative authority help you achieve adequate separation of duties and responsibilities and prevent a single user from possessing unlimited privileges.
Managing explicit privileges
You can use the SQL GRANT and REVOKE statements to grant and remove privileges if you enable authorization checking during DB2 installation. You can grant to or revoke privileges from authorization IDs or roles if they run in a trusted context. You can revoke only privileges that are explicitly granted.
Managing implicit privileges
You acquire privileges implicitly through ownership of objects, including ownership of plans and packages. You can control access to data by managing those privileges through object ownership and stored procedures, which are also known as routines.
Retrieving privilege records in the DB2 catalog
You can query the DB2 catalog tables by using the SQL SELECT statement. Executing the SQL statement requires appropriate privileges and authorities. You can control access to the catalog by granting and revoking these privileges and authorities.
Implementing multilevel security with DB2
Multilevel security allows you to classify objects and users with security labels that are based on hierarchical security levels and non-hierarchical security categories. Multilevel security prevents unauthorized users from accessing information at a higher classification than their authorization. It also prevents users from declassifying information.

Parent topic: Getting started with DB2 security