Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2003
    Posts
    4

    Unanswered: db2 users under db2cc and data studio

    Hi All,

    Pardon my inquiry if it seems a bit noobish...please let me know where i can move it to...

    i've read in the docs that DB2 uses OS accounts/authentication by default for authenticating users, so i'm a little confused as to the behavior of db2cc and IBM data studio...i.e.

    -- users added using db2cc/data studio don't show up at the OS level
    -- users added at the OS level don't show up under db2cc/IBM data studio


    What gives? i was expecting that the list of users in db2cc/data studio to be consistent with the OS accounts. Is there some sort of table/view/etc that DB2 maintains?

    i am running DB2-C 9.7.4 on Windows btw.

    tia

  2. #2
    Join Date
    Apr 2006
    Location
    Belgium
    Posts
    2,514
    Provided Answers: 11
    no db2 does not maintain info about uid/pw
    for all connect users there must be somewhere an os user mapping : local - at server - at ldap .....
    in the doc there is a lot to read about this
    DB2 security model overview
    or you could first attend a course at
    DB2 University to learn the basics of DB2
    Best Regards, Guy Przytula
    Database Software Consultant
    Good DBAs are not formed in a week or a month. They are created little by little, day by day. Protracted and patient effort is needed to develop good DBAs.
    Spoon feeding : To treat (another) in a way that discourages independent thought or action, as by overindulgence.
    DB2 UDB LUW Certified V7-V8-V9-V9.7-V10.1-V10.5 DB Admin - Advanced DBA -Dprop..
    Information Server Datastage Certified
    http://www.infocura.be

  3. #3
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    You can, but you don't need to add users or groups in DB2. They automatically get added to the DB2 system catalog (TABAUTH, DBAUTH, etc) when you issue a SQL GRANT to a user or group. The actual password authentication is handled by the OS (so the account must exist in the OS), but INSERT, UPDATE, SELECT, CONNECT, etc authorities within DB2 are handled with SQL GRANT, REVOKE, etc.

    GRANTS to user or group accounts can be made within DB2 before the accounts are created in the OS. They only get checked when authentication takes place.
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

  4. #4
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    Quote Originally Posted by przytula_guy View Post
    DB2 University to learn the basics of DB2

    Another DB2 learning site. Unbelievable.

  5. #5
    Join Date
    Dec 2003
    Posts
    4
    Thanks all for clearing that up: authentication at OS level, rights/privileges defined in DB2


    Given this scenario:

    - created OS user spongebob
    - granted access rights/privileges in DB2 for spongebob
    - deleted OS user spongebob
    - created new OS user spongebob

    ...would the new spongebob be given the same access rights/privileges as the old spongebob? Should the SOP be to manually revoke all rights/privileges of all deleted OS accounts, or is there a way of automating the process?

    Thanks

  6. #6
    Join Date
    Apr 2006
    Location
    Belgium
    Posts
    2,514
    Provided Answers: 11
    drop /create os uid : db2 will never clean up grant - even if the user does not exist
    error will be presented when referenced
    otherwise the new user will inherit the existing grant
    no automated cleanup exists.. os uid list should be compared with db2 uid grant list and cleanup to be done..
    Best Regards, Guy Przytula
    Database Software Consultant
    Good DBAs are not formed in a week or a month. They are created little by little, day by day. Protracted and patient effort is needed to develop good DBAs.
    Spoon feeding : To treat (another) in a way that discourages independent thought or action, as by overindulgence.
    DB2 UDB LUW Certified V7-V8-V9-V9.7-V10.1-V10.5 DB Admin - Advanced DBA -Dprop..
    Information Server Datastage Certified
    http://www.infocura.be

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •