Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369

    Unanswered: public access to catalog tables after migration

    Let's say, a v9.1 or v9.5 db is created without RESTRICTIVE option. Then, select is revoked from public for all catalog tables/views. This v9.1 or v9.5 db gets migrated (in-place or via a restore) to v9.7. Select is granted back to public during migration. This only happens if the db was originally created without RESTRICTIVE option.

    Do you think this is normal?

  2. #2
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    I don't know if it is normal, but RESTRICTIVE option is useless since it does not even allow access to packages that is needed to execute many SQL statements (such as cursor packages).
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

  3. #3
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,369
    I think RESTRICTIVE is useful in their case because their security standards state that public should have no grants at all (I think this applies to all default packages as well but will verify). But not all database were created with this option and migration just grants everything (will verify about packages) back to public. I'm not sure why db2 doesn't revoke what was not supposed to be granted in the first place...

  4. #4
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    Quote Originally Posted by db2girl View Post
    I think RESTRICTIVE is useful in their case because their security standards state that public should have no grants at all (I think this applies to all default packages as well but will verify).
    It does apply to the default packages, and makes the database unusable. The DB2 supplied packages are not documented as to which are needed, so the implementation is ridculous. There should be a difference between a user created package, and those used by DB2 internally to run basic queries (select, insert, update, delete). If you turn on restrictive, you can expect outages trying to figure out which ones to grant access for, which is something that many of us cannot tolerate.
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •