[DB2 learning records] 4. Basic DB2 security concepts-Authorization

This part is simple and clear at a glance.

Five different permission levels: sysadm, sysctrl, sysmaint, dbadm, and load
But I have read that there is sysmon in CFG, which may be mentioned later (to obtain access to database system monitor data)
Or the version is not updated.

The following aspects of the DB2 authorization control database security plan:
* Permission level granted to a user
* Commands that can be run by users
* Allows users to read and/or modify data
* Database objects that can be created, modified, and/or deleted by users

Of the five permissions available for DB2,
Sysadm, sysctrl, and sysmaint are instance-level permissions. These permissions can only be assigned to groups, and permissions can be assigned through the DBM cfg file.
Dbadm and load permissions for specific databases can be assigned to users or user groups, and these permissions can be explicitly assigned using the grant command.

You can run the following command to determine the permissions and database-level privileges you have:
DB2 get authorizations
Administrative authorizations for current user
Direct sysadm authority = No
Direct sysctrl authority = No
Direct sysmaint authority = No
Direct dbadm authority = No
Direct createtab authority = Yes
Direct bindadd authority = Yes
Direct Connect authority = Yes
Direct create_not_fenc authority = Yes
Direct implicit_schema authority = No
Direct load authority = No
Direct quiesce_connect authority = No
Direct create_external_routine authority = Yes
Direct sysmon authority = No

Indirect sysadm authority = No
Indirect sysctrl authority = No
Indirect sysmaint authority = No
Indirect dbadm authority = No
Indirect createtab authority = Yes
Indirect bindadd authority = Yes
Indirect connect authority = Yes
Indirect create_not_fenc authority = No
Indirect implicit_schema authority = Yes
Indirect load authority = No
Indirect quiesce_connect authority = No
Indirect create_external_routine authority = No
Indirect sysmon authority = No

Sysadm permission
Only sysadm users are allowed to update the DBM cfg file.
Sysadm permissions are controlled by the sysadm_group parameter in the DBM cfg file.
On Windows, when creating an instance, this parameter is set to administrator (but if DB2 get dBm CFG, It looks empty ).
On UNIX, It is set as the master Group of the user who created the instance.
DB2 update dBm CFG using sysadm_group db2grp1
This modification takes effect only after the instance is stopped and restarted.
 
Sysctrl permission
Unlike sysadm users, they cannot access any data in the database unless they are granted the privileges required to access the data.
* Db2start/db2stop
* DB2 create/DROP DATABASE
* DB2 create/drop tablespace
* DB2 backup/restore/rollforward Database
* DB2 runstats (for any table)
* DB2 update dB CFG for database dbname

Users with sysadm permissions can use the following command to assign sysctrl to a group:
DB2 update dBm CFG using sysctrl_group group_name

Sysmaint permission
A subset of commands that a user with sysctrl permissions can issue. You cannot create or delete databases or tablespaces.
DB2 update dBm CFG using sysmaint_group group name

Dbadm permission
Dbadm permission is a database-level permission, not an instance-level permission. You can get it in the following way.
* DB2 create database Test
This command implicitly grants the dbadm permission on the database test to the user who issued this command.

* DB2 connect to sample
DB2 grant dbadm on database to user tst1
This command can only be issued by sysadm users;
The dbadm permission granted to the user tst1.
Before granting dbadm permissions, you must connect to the database. (Didn't I give it directly ?)

* DB2 grant dbadm on database to group db2grp1
This command grants the dbadm permission to every user in the db2grp1 group. Similarly, only sysadm users can issue this command.

Load permission
Users with load permission can run the following command:
* DB2 quiesce tablespaces for table
* DB2 list tablespaces
* DB2 runstats (any table)
* DB2 load insert (Table insertion privilege is required)
* DB2 load restart/terminate after load insert (Table insertion privilege is required)
* DB2 load Replace (Table insertion and deletion privileges are required)
* DB2 load restart/terminate after load Replace (Table insertion and deletion privileges are required)
Only users with sysadm or dbadm permissions can grant or revoke the load permission to users or user groups.
DB2 grant load on database to user tst1
DB2 grant insert on table sales to user tst1
DB2 grant load on database to group grp1