Results 1 to 8 of 8
  1. #1
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367

    Unanswered: instance owner login

    How do you setup login for multiple DBA's supporting the same Linux/Unix environments?

    Each DBA logon to the server with their personal id and then 'sudo su - <instance owner>'? Is there a better (more secure) way to accomplish this?

  2. #2
    Join Date
    Jan 2010
    Posts
    335
    We use ssh + Priv/Publ-Key.
    It's not the safest way, but works good for us.

  3. #3
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650
    Alternate approach is to setup a group, say, db2sysg1 ,add the dba users (+ instance owner, of course) and assign SYSADM_GROUP to this group.

    The DBAs can use their own logins to do remote administration (Datastudio,quest) and also use monitoring tools (like db2mon). This helps in auditing remote connections also.

    Quote Originally Posted by db2girl View Post
    How do you setup login for multiple DBA's supporting the same Linux/Unix environments?

    Each DBA logon to the server with their personal id and then 'sudo su - <instance owner>'? Is there a better (more secure) way to accomplish this?
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  4. #4
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    If every DBA administer db2 using their personal id (with SYSADM privilege), then there is a way to tell who had done what (ie. drop table) if db2audit is setup. If they "su" to the instance owner, then I think there is no way? "su" is logged, but everything else (db2 admin tasks) will be logged as the instance owner id and I will have no way of telling who had done what to the db?

    How is this setup in most shops? What I'm after is a way of tracking down each DBA activity (just in case something goes wrong...)

  5. #5
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    Quote Originally Posted by sathyaram_s View Post
    Alternate approach is to setup a group, say, db2sysg1 ,add the dba users (+ instance owner, of course) and assign SYSADM_GROUP to this group.

    The DBAs can use their own logins to do remote administration (Datastudio,quest) and also use monitoring tools (like db2mon). This helps in auditing remote connections also.
    One thing I don't like about that is if there are multiple instances on the server, once you logon as instance owner, the correct DB2 profile is always invoked and you are always pointed to the correct instance.

    Otherwise, if a personal id is used with SYSADM, some inadvertent mistakes could happen because the user may not realize which instance they are attached to.
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

  6. #6
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Also keep in mind that when people create objects (tables, routines) under their own authorization IDs the objects will be owned by these different IDs, which causes confusion later (e.g. another DBA not being able to CREATE OR REPLACE or DROP objects) unless permissions are explicitly granted to the DBA group or individual IDs.

  7. #7
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    It looks like using the instance owner id is easier to manage and can be less error prone, but I'm not sure how to track down who had been using this id to do db2 admin work other than to see when "su" was logged.

  8. #8
    Join Date
    Nov 2011
    Location
    Shen Zhen,China
    Posts
    37
    we are using the way like:

    login the server with personal id,then "sudo su - inst",adding some script into the instance's .profile to record all the commands(even wrong commands) they used into a log file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •