DB2 User Rights

DB2 database permissions are divided into instance-level permissions (SYSADM, Sysctrl, Sysmaint, SYSMON) and DB2 database-level permissions (DBAMD, LOAD). The permissions that users have in DB2 are mainly considered in three areas: instance level, database level, database operation level, and view command is DB2 get authorizations. DB2 authorization can be divided into instance-level permission and database-level authorization, the instance-level permission must be granted by UPDATECFG to the user group by the user with Sysadm permission, and the database object-level permission is granted by the user or user group that the DBAMD permission user displays through the grant command.

I. Introduction of DB2 rights

DB2 database permissions are divided into instance permission levels (SYSADM, Sysctrl, Sysmaint, SYSMON) and DB2 database permission levels (DBAMD, LOAD). Users with Sysctrl, Sysmaint, Sysmon permission levels cannot access data, and users with DBAMD, load permission levels can access the data.

Instance-level permissions (can only be assigned at the user group level):

SYSADM----System administrative rights (Unix systems, the SYSADM user group is set by default to the primary user group where the instance owner resides, so any user in that group has SYSADM permissions)

SYSCTL----System control permissions

Sysmaint----System Maintenance permissions

Database level:

DBADM----Database administrative permissions (such as maintenance and management tasks such as deleting a database, creating and deleting tablespaces, backing up or recovering a database, etc.)

Load----permissions on the load operation on the table

1, DB2 Database permissions:

connect-allow users to connect to the database

bindadd-allow users to create new packages in the database

createtab-allow users to create new tables in the database

Create_not_fenced-allows users to register user-defined functions (UDFs) or stored procedures that are defined as not FENCED

Implicitschema-Allows the user to create an object in a schema that does not yet exist (it automatically creates the schema) *

quiesce_connect-allow users to connect to a database in quiesced state

Create_external_routine-allows users to register external routines (routines written in external languages such as C and Java)

2. Table Space Privileges:

Use-Allows the user to create tables in the specified table space

3. Mode privileges:

createin-allows the user to create objects in the schema

alterin-allows the user to modify objects in the schema

dropin-allows the user to delete objects from the schema

4. Table/View Privileges:

control-grants users all the privileges on tables and views, and grants these privileges (except CONTROL) to others

ALTER-Allows the user to add a column to a table, add or modify comments on a table and its columns, add a primary key or UNIQUE constraint, and create or delete a table check constraint

delete-allow users to delete rows from a table or view

Index-Allows the user to create an index on the table

Insert-allows users to insert data into a table or view

references-allows users to create and delete foreign keys, which requires a parent table in the specified relationship

Select-allows users to retrieve rows from a table or view, create a view on a table, and run the export utility

Update-allows users to modify data in tables, views, or some columns in a table or view, and users can have this privilege only on specific columns

5. Index Privileges:

control-allow users to delete indexes

6. Package Privileges:

control-allows users to rebind, delete, or execute packages, as well as grant these privileges (except CONTROL) to others

Bind-Allows the user to rebind an existing package

execute-allow users to execute packages

7. Routine Privileges:

Execute allows the user to invoke routines, create functions from routines (only for functions), and refer to routines in any DDL statement (such as CreateView, create TRIGGER, or define constraints)

9. Sequence Privileges:

Usage-allows users to use Nextval and prevval expressions for sequences

Alter-allows the user to modify sequence properties using the ALTER SEQUENCE statement

Privileged information is stored in the seven system catalog view:

*syscat. Dbauth-Database privileges

*syscat. Colauth-table and view column privileges

*syscat. Indexauth-Index Privileges

*syscat. Packageauth-Package Privileges

*syscat. Schemaauth-Mode privileges

*syscat. TABAUTH-table and view privileges

*syscat. Tbspaceauth-Table Space privileges

View current connection user rights: Db2get authorizations

The "direct" permission means that this permission is explicitly granted to this user. The "indirect" permission means that this user belongs to a group that has this permission.

Permissions Summary: DB2 in the user has the main consideration three aspects: the instance level, the database level, the database object level, the View method is db2getauthorizations, the specific table's authorization information is stored in the Syscat.tabauth.

Ii. Authorized operation

DB2 database authorization consists of privileged groups and advanced database management programs (instance-level) maintenance and utility operations. Of the 5 types of permissions available to DB2, SYSADM, Sysctrl, and Sysmaint are instance-level permissions. This means that their scope contains instance-level commands and commands for all databases in this instance. These permissions can only be assigned to groups, and these permissions are assigned through the dbm CFG file.

1. Get SYSADM

Users with SYSADM permissions can emit any DB2 command that acts on DB2 instances, any databases within the instance, and any objects within those databases. They are also able to access data within the database, granting or revoking privileges and permissions. The SYSADM user is the only user that is allowed to update the Database Manager configuration (Databasemanager config (DBM CFG) file).

SYSADM permissions are controlled by the Sysadm_group parameter in DBM CFG. When you create an instance, this parameter is set to Administrator on Windows (although it appears empty when you issue a command DB2 get dbm CFG). On UNIX, this parameter is set to the primary group of the user who created the instance. Because SYSADM users are the only users that are allowed to update dbmcfg, they are also the only users who can grant any sys* permissions to other groups.

The following example shows how to grant SYSADM permissions to the DB2GRP1 group:

DB2 Update dbm Cfgusingsysadm_group DB2GRP1

2. Get Sysctrl

Users with Sysctrl permissions can perform all administrative and maintenance commands within the instance. However, unlike Sysadm users, they cannot access any data in the database unless they are granted the privileges required to do so. Sysctrl users can execute on any database in the instance

Users with SYSADM permissions can assign Sysctrl to a group using the following command:

DB2 update dbm Cfgusingsysctrl_group GROUP name

3. Get Sysmaint

A command that a user with Sysmaint permissions can issue is a subset of the commands that the Sysctrl permission is allowed to be considered as some tasks related to "maintenance."

Note that a user with Sysmaint cannot create or delete a database or table space (tablespace). They also cannot access any data in the database unless they are granted the privileges required to do so.

Users with SYSADM permissions can assign sysmaint to a group using the following command:

DB2 update dbm Cfgusingsysmaint_group GROUP name.

4. Grant

DB2 Database authorization is implemented through the grant command, DB2 the database authorization, the user can do the corresponding operation DB2. The Dbadm and load permissions for a specific database can be assigned to users or groups of users. You can explicitly assign these permissions by using the Grant command.

Grammar:

>>-grant--authorization-specification--------------------------->

.-,----------------------.

V |

>--to----+-authorization-name-+-+--+-------------------+-------><</em>

+-role--role-name----+ '-with grantoption-'

'-public-------------'

Simple example (the database needs to be connected first):

--authorizing the database to administer permissions to the user

Db2grant Dbadm on database to Userdb2admin

--Authorizing database administration permissions to user groups

DB2 Grant DBADM on the database to group DB2GRP1

--Authorization query:

Db2grant Select on table TableName to Userdb2admin

--All licenses

DB2 Grantall on TABLE owk. " Favmenu "to USER Sckdev

DB2 User Rights