Is there anyway to authenticate users from inside DB2 instead of relying on the OS. We are installing a custom software on client machines with a DB and we want restrict access to ONLY our application such that no windows administrator or Linux root even has access.

Let the OS do the authentication, but you can control the authorization through GRANT and REVOKE.


Andy

Authorization can be overridden by users if authentication is OS based so it doesn't solve my issue. Any other suggestions?

Authentication is the process of making sure the person is who they say they are. Nothing more. Authorization is the process of determining what that person can do. You , as the DBA, are in control of the authorization. You simply do not give the users the capability of setting up the authorization configuration.

Andy

Andy I get your point but i think my situation is different. I am installing DB2 on someone else's machine and I want to deny all access except to my application.

Even if I create a new user while installing and keep the password to myself and authorize it, the windows administrator will always have the option of changing the password for that user and eventually accessing the db

You would have to write your own security plugin. See here for more info: DB2 UDB security, Part 2: Understand the DB2 Universal Database security plug-ins

Andy

Andy, Thanks for the link, most appreciated. Looks like I have to dig into C after a long time Just one more question ... if someone copies the DB2 data files from one location to another location / server, could those files be used to recreate / res-instantiate the database? To be clear I'm not talking about any backup files ... just plain data files

Thanks
Farooq

In theory, yes they could, but it would take someone with a lot of know-how. They could even restore a backup image even easier. To handle this, you would need an encryption solution. There are several types of those.

Andy

Thanks Again Andy!!