Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2006
    Posts
    14

    Unanswered: Restricting access by authID and source

    Is there a way to restrict db2 communication based on a combination of authorization ID and source. For example, we want to enforce that a batch application should run from a given server (SERVERX) using authorization ID (USERX). Is this possible? The db2 governor does not appear to monitor by source.

  2. #2
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    What DB2 Version and OS are you talking about?
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

  3. #3
    Join Date
    Oct 2004
    Location
    DELHI INDIA
    Posts
    338
    From the list applications command grep the user-id and ipaddress of the application ---> Now pick up the application-id from the selected list --> Force those particular appl-id off.

    Put this script in sleep-mode for 5-10 seconds depending upon your server load.

  4. #4
    Join Date
    Mar 2006
    Posts
    14
    I am running on Windows 2000, DB2/UDB ESE version 8, fixpak 8a. A script that runs every few seconds is a possibility, but I was hoping DB2 would have something internal to help regulate this.

    Thanks
    Al

  5. #5
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    Can you consider adding a bit of code in the application layer ... How complex the change is depends on the type of application ... Let us consider a korn script being called from cron ..
    Now you have an entry in corn to start batchjob1 at 10 am ..

    You can now create a new job batchjob1_wrap and put the following lines in it

    Now schedule batchjob1_wrap to run at 10 am ..

    where_from=`echo hostname`
    batchname='batch1'
    db2 connect to my db
    db2 -x "select 1 from auth_appl where batch_appl_name=$batchname and batch_auth_id=USER and batch_host_name=$where_from" | read counter
    if [ counter -eq 1 ]
    then
    batch1 parm1 parm2
    else
    echo "Not authorized"
    end if

    On the server, create a table auth_appl and define who is authorized, from which host and which appl ... Therefore you can define the authorizations in the database ...

    If the connecting user has requisite permissions, you may as well get the hostname, application info using the snapshot table functions ...
    And BTW, I'm sure you'll be aware that access to db objects like table, view etc can be 'configured' for the USER

    HTH

    Sathyaram
    Last edited by sathyaram_s; 03-07-06 at 21:09.
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  6. #6
    Join Date
    Mar 2006
    Posts
    14
    I am trying to find a graceful way to restrict access. Our system does limit access by user, but what we want is to prevent is ID-hijacking.

    This is more of an issue for our internal auditors than it is for me (as the DBA). I can write a program, but then I have to audit the program. I was hoping there was a configuration parameter or a DB2governor option that would allow me perform this restriction without developing code or using an outside source.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •