- IBM DB2 9.7 Advanced Application Developer Cookbook
- Sanjay Kumar Mohankumar Saraswatipura
- 723字
- 2021-08-20 15:42:21
Granting and revoking database-level authorities
This category of authorities allows a user to perform activities specific to a database. These activities are viewing/modifying data in the database, granting and revoking privileges to users, performing data load operations, running maintenance activities like collecting statistics, backups and restores, and so on.
Getting ready
- We need
SYSADMauthority to grantDBADMorSECADMauthority - We need
SYSADMorDBADMauthority to grant other database authorities
How to do it...
Let's see how we can grant and revoke database-level authorities. The process is the same for every type of database-level authority.
GRANT <authority_name> ON DATABASE <db_name> to USER/ROLE/GROUP <name>
- For example, to grant DBADM authority to a user user_dba on SAMPLE database, use the following command:
GRANT DBADM ON DATABASE SAMPLE TO USER USER_DBA
- We can also grant multiple authorities simultaneously in a single SQL command. For example, to grant
DBADM, ACCESSCTRL, andDATAACCESSauthorities to useruser_dbaonSAMPLEdatabase, use the following command:
GRANT DBADM, ACCESSCTRL, DATAACCESS ON DATABASE SAMPLE TO USER USER_DBA
REVOKE <authority_name> ON DATABASE <database_name> FROM <user/group/role name>
- For example, to revoke
DBADMauthority on SAMPLE database from useruser_dba, use the following command:
REVOKE DBADM ON DATABASE SAMPLE FROM USER USER_DBA
- Similar to
GRANT, REVOKEcan also include multiple authorities at a time. For example, to revokeDBADM, DATAACCESSandACCESSCTRLauthorities from useruser_dba, use the following command:
REVOKE DBADM, ACCESSCTRL, DATAACCESS ON DATABASE SAMPLE FROM USER USER_DBA
How it works...
- DB2 does not maintain any user itself. It uses the operating system users and groups. To grant or revoke any authority to or from any user, we need to use the operating system security facility to create new users, or modify group membership of any user. Once the users and groups have been configured in the operating system, they can be used in DB2.
The users and groups created by the operating system need to follow certain naming conventions; otherwise, they can't be used in DB2. These are:
- Length of group names should be within the SQL limit of 128 characters
- Usernames on UNIX systems can have up to 8 characters
- Usernames on Windows systems can have up to 30 characters
- Usernames and group names cannot begin with IBM, SQL, or SYS
- Usernames and group names cannot be
USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any reserved SQL word
- Database-level authorities can also be granted to roles along with groups and users. Only a system administrator can modify users and groups within an operating system. This adds a dependency on database administrators and security administrators of DB2 database to rely on the system administrator. To overcome this dependency, DB2 provides
DATABASE ROLES. These are very similar to groups in the operating system except that they exist at database level. We can assign a database role to any set of users and grant authorities or privileges to the role. Now, the system administrator only needs to create new users at an operating system level and the rest can be taken care of by the database administrators or security administrators.
There's more…
The DB2 authorization model has been updated to separate the duties of system administrators, database administrators, and security administrators. The DBADM authority no longer has the ability to access data (DATAACCESS), to grant/revoke privileges, authorize (ACCESSCTRL), or define security policies (SECADM). If the DBADM authority needs these authorities, then the SECADM will have to explicitly grant these authorities to DBADM.
We can use the SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID table function to retrieve the authorities for any user. This function accepts the authorization and authorization ID type. For example, to view the roles for the ADMINISTRATOR user, we can use following query:
SELECT CHAR(GRANTOR, 30) GRANTOR, GRANTORTYPE, CHAR(GRANTEE, 30) GRANTEE, GRANTEETYPE, CHAR(ROLENAME, 30) ROLENAME, CREATE_TIME, ADMIN FROM TABLE(SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID('ADMINISTRATOR','U')) AS T;
The following table summarizes the activities performed by each database authority:
- Vue.js 3.x快速入門
- Learning Python Web Penetration Testing
- Google Apps Script for Beginners
- SQL Server 2012數據庫技術及應用(微課版·第5版)
- Python自動化運維快速入門(第2版)
- Learning AWS Lumberyard Game Development
- Learning Linux Binary Analysis
- C++程序設計基礎教程
- Hands-On Swift 5 Microservices Development
- Windows Phone 7.5:Building Location-aware Applications
- NoSQL數據庫原理
- Python全棧數據工程師養成攻略(視頻講解版)
- HTML+CSS+JavaScript網頁設計從入門到精通 (清華社"視頻大講堂"大系·網絡開發視頻大講堂)
- .NET 4.5 Parallel Extensions Cookbook
- Java從入門到精通(視頻實戰版)