From: http://gocom.primeton.com/blog16274_23254.htm
DB2 permission Control
1.DB2The following aspects of the permission control database security plan:
- Permission level granted to users
- Commands that allow users to run
- Data that can be read and/or modified by the user
- Database objects that can be created, modified, and/or deleted by users
In DB2 Of the five permissions provided, Sysadm , Sysctrl And Sysmaint YesInstance-level permissions. This means that the permissions include instance-level commands and commands executed on all databases in the instance. These permissions can only be assigned to a group. DBM cfg File.
DbadmAndLoadPermissions are assigned to a user or group for a specific database. AvailableGrantCommand to explicitly complete this job.
By issuing the following command, you can determine the permissions and database-level privileges they have:
DB2 get authorizations
Note: any reference to group membership means that the user and group name have been defined at the operating system level.
2. DB2 In Sysadm The permission is similar UNIX On Root Permission or Windows On Administrator Permission. For DB2 The instance has Sysadm Authorized users can send any DB2 Command. They can also access data in the database and grant or revoke privileges and permissions. Sysadm The user is the only one that allows updates DBM cfg File user.
Sysadm The permission is DBM cfg File Sysadm_group Parameters. When creating an instance Windows Is set Administrator (Although Issue command DB2 get dBm cfg
This parameter is good. Is null ). In UNIX . Because Sysadm The user is the only one that allows updates DBM cfg Therefore, they are only allowed to grant any Sys * Permission user.
Remember, the above changes will take effect only when the instance is stopped and restarted.
3. WithSysctrlUsers with permissions can execute all management and maintenance commands in the instance. HoweverSysadmUsers are not allowed to access any data in the database unless they are granted the permissions required to access any data in the database.
SysctrlYou can run the following command examples on any database in the instance:
- Db2start/db2stop
- DB2 create/DROP DATABASE
- DB2 create/drop tablespace
- DB2 backup/restore/rollforward Database
- DB2 runstats (This command can be executed on any table)
- DB2 update dB CFG for databaseDbname
4. Yes sysmaint the command that can be issued by a user with permissions is sysctrl a subset of the commands allowed by the authorized user. sysctrl You can only perform maintenance-related tasks. example:
- Db2start/db2stop
- DB2 backup/restore/rollforward Database
- DB2 runstats (This command can be executed on any table)
- DB2 update dB CFG for databaseDbname
Note:SysmaintUsers with permissions cannot create or delete databases or tablespaces. They are not allowed to access any data in the database unless they are granted the permissions required to access any data in the database.
5 . In general, dbadm Users have almost full control over the database. However, dbadm you cannot perform maintenance or management tasks similar to the following:
- DROP DATABASE
- Drop/create tablespace
- Backup/Restore database
- Update dB CFG for databaseDB name
However, they can execute the following tasks:
DB2 create/drop table
DB2 grant/revoke (Any privilege)
DB2 runstats (Any table)
DbadmThe user is also automatically granted all privileges for database objects and their contents. BecauseDbadmPermission is a database-level permission, soIt can be assigned to users and groups.
6. load permission allows the user to issue a table load command. When filling a table with a large amount of data, load This command runs faster to replace the insert or import command. According to the load different types, only load permissions may still be insufficient. You may also need to have specific privileges on the table.
with load permission users can run the following commands:
- DB2 quiesce tablespaces for table
- DB2 list tablespaces
- DB2 runstats (any table)
- DB2 load insert (the table must have the insert privilege)
- DB2 load restart/terminate after load insert (the table must have the insert privilege)
- DB2 load replace (the table must have the insert and DELETE privileges)
DB2 load restart/terminate after load replace (the table must have the insert and DELETE privileges)