hello all.
We have unix db2 v7.2 servers
As DBA's we perform administration operations as follows(considering db2admin is the user in db2iadm1 group with database admin privileges):
-We login to server with telnet with our private logins
-We do "su - db2admin" supplying our private password
-Then under the user db2admin , we perform our administration.

Now, we have the problem that:
-we don't want any user other than db2admin users to perform db admin utilites,commands etc.
-users with root password can easily "su" to db2admin without the password and they are able to perform our operations without our knowledge.

How can we manage root not to be able to perform db2admin operations?

I hope i ask the question clear..
thanks all

The Sysadm for an instance is given to a group ... So, the first step to ensure that no user other than db2admin to have authority on the instance is to remove all users except the instance owner from the sysadm group .... You should also revoke database privileges like createtab, bind, connect etc from PUBLIC ... Then you can start looking at what the applications do and what privileges they want and then grant them appropriately ...

Refer to the 'authorization' sub-heading under each SQL or Command in the DB2 Manuals

And, there is no way, you can prevent the root user from doing things as instance owner .... The root user-id is supposed to be in the hands of 'responsible' people .....

HTH

Sathyaram

Thanks Sathyaram,
How about that: Can we restrict the root doing these db2 commands(db2stop,db2start,db2 force applications all..etc), by using chmod commands?? restricitng read/write/execute priviliges?
It may be a stupid idea ,i agree
If root "su"s as instance owner without password, is it the same as logging in as instance owner with password???

In my experience, root is root, they can always su to any id, don't think you can do anything to stop them.