Results 1 to 11 of 11
  1. #1
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557

    Unanswered: Any issue with granting bind access to GROUP

    Is there an issue with granting bind access to the UNIX group vs an individual id?

    Some people on my team think that developers wont be able to do the binds if they are not given access directly to them? As far as I know it makes no difference.

    v8.2
    os aix 5.1
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  2. #2
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    I think granting BIND to a group should be fine.
    But remember, if the package contains static SQL, then the 'bind'er should have privileges granted to them (NOT group) on
    the objects like table/view etc. referred by the package.

    Once bound, the user themselves will the owners and group willl not come to play then ..

    Share with the forum if you find something different ..

    Cheers
    Sathyaram

    Quote Originally Posted by Cougar8000
    Is there an issue with granting bind access to the UNIX group vs an individual id?

    Some people on my team think that developers wont be able to do the binds if they are not given access directly to them? As far as I know it makes no difference.

    v8.2
    os aix 5.1
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  3. #3
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Quote Originally Posted by sathyaram_s
    I think granting BIND to a group should be fine.
    But remember, if the package contains static SQL, then the 'bind'er should have privileges granted to them (NOT group) on
    the objects like table/view etc. referred by the package.

    Once bound, the user themselves will the owners and group willl not come to play then ..

    Share with the forum if you find something different ..

    Cheers
    Sathyaram
    Thank you Sathyaram,

    So, what you are saying is even so they have access on the object through the user group they would need an access granted directly to them on that object, if they are trying to bind a package with a static SQL?
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  4. #4
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    That's right!

    Quote Originally Posted by Cougar8000
    So, what you are saying is even so they have access on the object through the user group they would need an access granted directly to them on that object, if they are trying to bind a package with a static SQL?
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  5. #5
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Quote Originally Posted by sathyaram_s
    That's right!
    Thank you first of all.

    I am just wondering why is it so? It just makes no sence to me.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  6. #6
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    The following is my understanding :

    As per the security implementation, for successful execution, the owner of the package needs privileges over the underlying objects referred in the package stmts. The owner of the package can only be a user and not group.

    Therefore, for static SQL stmts, the objects need privleges granted at the user level.

    A similar explantion will hold good for static sql in views also.

    To clarify, I have not read this in any manual. Therefore, I can be wrong.

    If my assumption is right, yeh, this is a limitation.

    If I find anything different, I'll post it here.

    HTH

    Sathyaram
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  7. #7
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Sathyaram,

    It does say it in the manual in refference to static SQL. I was just hopping there would be a better explanation that it is the way it. Thank you for giving as much as you can. It does infact seams like a limitation.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  8. #8
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    Here's a response from an IBM Consultant Ted: (Read with the usual disclaimer 'This is not an official IBM stmt, but his own')

    "
    The underlying reason is that changes to group memberships are not communicated to DB2. DB2 has no way of knowing if the authorization ID of the user who created the package is still part of the group when the package is executed. This is in constrast to if the authorization ID was explicitly granted access - DB2 keeps track of this and will invalidate the package if that privilege was revoked from the package creator.


    For dynamic SQL, all of these checks are made at runtime.



    Here is a Technote explaining this in more detail:
    http://www-1.ibm.com/support/docview.wss?uid=swg21224422
    "

    HTH

    Sathyaram

    Quote Originally Posted by Cougar8000
    Sathyaram,

    It does say it in the manual in refference to static SQL. I was just hopping there would be a better explanation that it is the way it. Thank you for giving as much as you can. It does infact seams like a limitation.
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  9. #9
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Sathyaram, thank you as always for the great info.

    I think we are going to takle this issue by creating a shall script that has an instance id and pwd coded in it and have users run it with passing parameters to it. making sure they can't read the script to get pwd. This will prevent giving access directly to users, company policy, and insures the package will still work since I do not forese instance id get deleted
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  10. #10
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    I have tried something similar in the past (just out of my own interest)...

    If the config file is owned by the instance owner without read access to public, then a 'normal' user will be unable to read the file as part of his/her script.

    If the file is owned by the root user, something like a sticky bit may be possible, I guess ..

    Let us know how you implement it ... I'm quiet keen to know what you do .

    Cheers
    Sathyaram



    Quote Originally Posted by Cougar8000
    Sathyaram, thank you as always for the great info.

    I think we are going to takle this issue by creating a shall script that has an instance id and pwd coded in it and have users run it with passing parameters to it. making sure they can't read the script to get pwd. This will prevent giving access directly to users, company policy, and insures the package will still work since I do not forese instance id get deleted
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  11. #11
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    I will try to remember to update you when I am done.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •