Results 1 to 8 of 8
  1. #1
    Join Date
    Sep 2016
    Posts
    3

    Unanswered: IBM DB2 Grant SYSADM for itmuser group

    Hello Comunity,

    I am trying to set SYSADM privileges for itmuser which is in itmusers group. It has happend on WAREHOUS server (I expect during WAREHOUS scipts calling). So I am not sure about conditions when it happend. Here is output from WAREHOUS server. It΄s not set through system but anywhere in DB2.

    Code:
    [db2inst1@WAREHOUS ~]$ db2 "SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('itmuser', 'U') ) AS T ORDER BY AUTHORITY"
    
    AUTHORITY                                                                                                                        D_USER D_GROUP D_PUBLIC ROLE_USER ROLE_GROUP ROLE_PUBLIC D_ROLE
    -------------------------------------------------------------------------------------------------------------------------------- ------ ------- -------- --------- ---------- ----------- ------
    
    DATAACCESS                                                                                                                       N      N       N        N         N          N           *
    DBADM                                                                                                                            N      N       N        N         N          N           *
    EXPLAIN                                                                                                                          N      N       N        N         N          N           *
    IMPLICIT_SCHEMA                                                                                                                  N      N       Y        N         N          N           *
    LOAD                                                                                                                             N      N       N        N         N          N           *
    QUIESCE_CONNECT                                                                                                                  N      N       N        N         N          N           *
    SECADM                                                                                                                           N      N       N        N         N          N           *
    SQLADM                                                                                                                           N      N       N        N         N          N           *
    SYSADM                                                                                                                           *      Y       *        *         *          *           *
    SYSCTRL                                                                                                                          *      N       *        *         *          *           *
    SYSMAINT                                                                                                                         *      N       *        *         *          *           *
    SYSMON                                                                                                                           *      N       *        *         *          *           *
    WLMADM                                                                                                                           N      N       N        N         N          N           *
    System group output:

    Code:
    [db2inst1@WAREHOUS ~]$ cat /etc/group
    root:x:0:
    bin:x:1:bin,daemon
    daemon:x:2:bin,daemon
    sys:x:3:bin,adm
    adm:x:4:adm,daemon
    tty:x:5:
    disk:x:6:
    lp:x:7:daemon
    mem:x:8:
    kmem:x:9:
    wheel:x:10:
    mail:x:12:mail,postfix
    uucp:x:14:
    man:x:15:
    games:x:20:
    gopher:x:30:
    video:x:39:
    dip:x:40:
    ftp:x:50:
    lock:x:54:
    audio:x:63:
    nobody:x:99:
    users:x:100:
    dbus:x:81:
    utmp:x:22:
    utempter:x:35:
    floppy:x:19:
    vcsa:x:69:
    rpc:x:32:
    abrt:x:173:
    cdrom:x:11:
    tape:x:33:
    dialout:x:18:
    cgred:x:499:
    wbpriv:x:88:
    rpcuser:x:29:
    nfsnobody:x:65534:
    haldaemon:x:68:haldaemon
    ntp:x:38:
    saslauth:x:76:
    postdrop:x:90:
    postfix:x:89:
    sshd:x:74:
    oprofile:x:16:
    tcpdump:x:72:
    stapusr:x:156:
    stapsys:x:157:
    stapdev:x:158:
    slocate:x:21:
    nagios:x:500:
    dasadm1:x:101:db2inst1,db2inst2
    db2iadm1:x:102:db2inst2,db2rep
    db2fadm1:x:103:
    db2inst2:x:602:
    db2rep:x:603:
    itmusers:x:600:itmuser
    And my question is how to set exactly the same properties in other servers with DB2 installed (same users are there):

    Code:
    [db2inst1@TCR ~]$ db2 "SELECT AUTHORITY, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('itmuser', 'U') ) AS T ORDER BY AUTHORITY"
    
    AUTHORITY                                                                                                                        D_USER D_GROUP D_PUBLIC ROLE_USER ROLE_GROUP ROLE_PUBLIC D_ROLE
    -------------------------------------------------------------------------------------------------------------------------------- ------ ------- -------- --------- ---------- ----------- ------
    
    DATAACCESS                                                                                                                       N      N       N        N         N          N           *
    DBADM                                                                                                                            N      N       N        N         N          N           *
    EXPLAIN                                                                                                                          N      N       N        N         N          N           *
    IMPLICIT_SCHEMA                                                                                                                  N      N       Y        N         N          N           *
    LOAD                                                                                                                             N      N       N        N         N          N           *
    QUIESCE_CONNECT                                                                                                                  N      N       N        N         N          N           *
    SECADM                                                                                                                           N      Y       N        N         N          N           *
    SQLADM                                                                                                                           N      N       N        N         N          N           *
    SYSADM                                                                                                                           *      N       *        *         *          *           *
    SYSCTRL                                                                                                                          *      N       *        *         *          *           *
    SYSMAINT                                                                                                                         *      N       *        *         *          *           *
    SYSMON                                                                                                                           *      N       *        *         *          *           *
    WLMADM                                                                                                                           N      N       N        N         N          N           *
    I was using next command, but it was not executed:

    Code:
    [db2inst1@TCR1 ~]$ db2 "GRANT SYSADM ON SYSTEM TO GROUP ITMUSERS"
    thanks for any help Jan

  2. #2
    Join Date
    Apr 2012
    Posts
    1,006
    Provided Answers: 16
    If the SYADAM_GROUP configured for the instance is db2iadm1, then add itmuser to group db2iadm1. If not, add itmuser to the correct operating-system group specified as the SYSADM_GROUP (in db2 get dbm cfg ). If no such group is specified then specify one, in which itmuser is a member. But check with your DBA first, if there is a DBA

  3. #3
    Join Date
    Jul 2016
    Location
    Germany
    Posts
    20
    Provided Answers: 1

    quick and dirty

    Hi jencek123,

    From Must Read before posting

    Please follow these guidelines to get quick, apt and meaningful responses :

    1) Every question posted must include your DB2 Version, fixpack and Edition + your Operating System(including version info) + info on any third party software you use.
    You can get his info using the following commands
    db2level -> to get db2 version and fixpack level
    db2licm -l -> to get the db2 type (WSE, ESE, etc)

    Good luck
    db2dp

  4. #4
    Join Date
    Sep 2016
    Posts
    3

    DB2 versio

    Ok thank you for answer. First tip is the easiest one and it works. But I need to set this properties hidden before security team. It's not easy to explain them. That monitoring agent is running under full privileges. Our DB2 is ESE versio 10.5 FP3 on Linux RedHell 6.7. I need to find solution how to set full syadm privileges through DB not in System groups. As it is in code above on Warehous server.

  5. #5
    Join Date
    Jul 2016
    Location
    Germany
    Posts
    20
    Provided Answers: 1

    quick and dirty

    Hi jencek123,

    to please the security teams of the world,

    IBM invented the SYSMON AUTHORITY for Monitoring.

    Since DB2 9.7 Monitoring should run with SYSMON AUTHORITY.

    This should work and is very easy to explain to your security team.

    Good luck
    db2dp

  6. #6
    Join Date
    Apr 2012
    Posts
    1,006
    Provided Answers: 16
    If you mean the ITCAM UD agent, then an alternative is to configure it to connect as the instance owner. Kuddb2 does not need sysadm just for monitoring. The advantage is that no new account is necessary, but that is also a disadvantage if minimum privilege necessary is an enforced site policy.

  7. #7
    Join Date
    Sep 2016
    Posts
    3

    Sysmon

    Ok, I just try to set-up sysmon privileges for user running DB2 agent. And it is not enought, some errors are occured in log.

  8. #8
    Join Date
    Apr 2012
    Posts
    1,006
    Provided Answers: 16
    For kuddb2, If you create a new user account that is a member of the SYSMON_GROUP for the DB2-instance, then you will also need to grant that new user connect access on the databases (either explicitly to that user or implicitly via its group memberships). IBM documents this.
    You must then arrange for that new user (and possibly its primary group) to be created on each hostname that runs a DB2-server product that needs monitoring by kuddb2. Sometimes that requires additional beurocracy, which you would not have if you used the DB2-instance account, although the latter has more rights that kuddb2 actually needs.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •