db2 users under db2cc and data studio

badkuk · #1 (**permalink**) 09-09-11, 04:09

Hi All,

Pardon my inquiry if it seems a bit noobish...please let me know where i can move it to...

i've read in the docs that DB2 uses OS accounts/authentication by default for authenticating users, so i'm a little confused as to the behavior of db2cc and IBM data studio...i.e.

-- users added using db2cc/data studio don't show up at the OS level
-- users added at the OS level don't show up under db2cc/IBM data studio

What gives? i was expecting that the list of users in db2cc/data studio to be consistent with the OS accounts. Is there some sort of table/view/etc that DB2 maintains?

i am running DB2-C 9.7.4 on Windows btw.

tia

przytula_guy · #2 (**permalink**) 09-09-11, 04:47

no db2 does not maintain info about uid/pw
for all connect users there must be somewhere an os user mapping : local - at server - at ldap .....
in the doc there is a lot to read about this
DB2 security model overview
or you could first attend a course at
DB2 University to learn the basics of DB2

Marcus_A · #3 (**permalink**) 09-09-11, 06:37

You can, but you don't need to add users or groups in DB2. They automatically get added to the DB2 system catalog (TABAUTH, DBAUTH, etc) when you issue a SQL GRANT to a user or group. The actual password authentication is handled by the OS (so the account must exist in the OS), but INSERT, UPDATE, SELECT, CONNECT, etc authorities within DB2 are handled with SQL GRANT, REVOKE, etc.

GRANTS to user or group accounts can be made within DB2 before the accounts are created in the OS. They only get checked when authentication takes place.

db2girl · #4 (**permalink**) 09-09-11, 16:37

Quote:

Originally Posted by przytula_guy

DB2 University to learn the basics of DB2

Another DB2 learning site. Unbelievable.

badkuk · #5 (**permalink**) 09-12-11, 03:23

Thanks all for clearing that up: authentication at OS level, rights/privileges defined in DB2

Given this scenario:

- created OS user spongebob
- granted access rights/privileges in DB2 for spongebob
- deleted OS user spongebob
- created new OS user spongebob

...would the new spongebob be given the same access rights/privileges as the old spongebob? Should the SOP be to manually revoke all rights/privileges of all deleted OS accounts, or is there a way of automating the process?

Thanks

przytula_guy · #6 (**permalink**) 09-12-11, 03:30

drop /create os uid : db2 will never clean up grant - even if the user does not exist
error will be presented when referenced
otherwise the new user will inherit the existing grant
no automated cleanup exists.. os uid list should be compared with db2 uid grant list and cleanup to be done..

Internet Services

Web Development

Digital Marketing

Consumer Tech