Results 1 to 9 of 9

Thread: DB2 Privileges

  1. #1
    Join Date
    Sep 2006
    Posts
    105

    Unanswered: DB2 Privileges

    Hello All,

    Is there any way to find out , user who has revoke/grant db privileges like (connect) to other user.

    We faced a situation where connect privilege was revoked from a user , but not sure who revokes the same.

    the system is a legacy system - db2v7.1.

    Irrespective of version , is it possible to find out the same?

    Thanks for your help in advance.

    Regards
    Meena.s

  2. #2
    Join Date
    Jan 2003
    Posts
    4,292
    Provided Answers: 5
    There are several views in the catalog (syscat) that show authorizations (they usually end in "AUTH") . There is a different view for each object type (e.g. TABAUTH is for table authorizations-select, insert, delete, etc). Each of these views should have a column that is like 'GRANT'. Persons with this authorization can perform the grant on the object for which they have the grant authority.

    Andy

  3. #3
    Join Date
    Oct 2007
    Posts
    246
    check syscat.dbauth, have you revoke connect priviledges from public in ur db coz connect to db is default for user, u can get ur info in syscat.dbauth table i believe.

    group kindly correct on this

    regds
    Paul

  4. #4
    Join Date
    Sep 2006
    Posts
    105
    @ Andy : Yup as you said we have syscat tables for the entries, but here need to know when the connect privilege has been revoked from the user (not public) and who has revoked the same?

    Is there any possibility for this.

  5. #5
    Join Date
    Sep 2006
    Posts
    105
    @ Paul : Syscat.dbauth will have privilege info and grantor ,grantee related information only.

  6. #6
    Join Date
    Jan 2003
    Posts
    4,292
    Provided Answers: 5
    I usually do not need to look in the syscat catalog for authorizations so i am not 100% on what is there. That is what manuals are created for. Looking in the V9.5 manual (I assume V7 is similar), to grant/revoke connect privilege the user needs to be either DBADM or SYSADM.

    Andy

  7. #7
    Join Date
    Sep 2006
    Posts
    105
    Thanks Andy for your reply.

    Yup. Users who hold sysadm/dbadm privileges can revoke the connect privilege.
    In our case , I have checked that too.

    Only Instance id holds that privilege. But some of the users holds sudo su access to the instance.

    So any of them have a chance to revoke it . Is there any possibility to fine who has revoked it ?

  8. #8
    Join Date
    Jan 2003
    Posts
    4,292
    Provided Answers: 5
    You would have to check the OS logs to see who used sudo around the time that the privileges were revoked.

    Andy

  9. #9
    Join Date
    Sep 2006
    Posts
    105
    Thanks Andy for your updates.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •