1/01/2016

DB2 Database Security Model


The DB2 database system data and functions have two modes of security controls
1. Authentication (Outside the DB2 database system)
2. Authorization (Managed by database manager)

Authentication: 

1. The process that verifies user identity at OS level is known as "authentication".
2. In this the authentication of user completed by a secure facility outside the DB2 database system         using an authentication security plug-in module.
3. The default authentication will be set when we install the DB2 database system.
4. A DB2 authentication ID will be produced at the time of the authentication process.

Authorization:

1. The database manager will determine the accesses allowed to a user on DB2 data or resources,           after successful completion of user authentication.
2. In this authorization process the DB2 database manager will check that which database operations       that user can perform, and which data objects that the user can access.

The different sources of permissions available to an authorization ID are as follows:
  • Primary permissions: those granted to the authorization ID directly.
  • Secondary permissions: those granted to the groups and roles in which the
  • authorization ID is a member.
  • Public permissions: those granted to PUBLIC.
  • Context-sensitive permissions: those granted to a trusted context role.
Authorization can be given to users in the following categories:

System-level authorization

The system administrator (SYSADM), system control (SYSCTRL), system maintenance (SYSMAINT), and system monitor (SYSMON) authorities provide varying degrees of control over instance-level functions. Authorities provide a way both to group privileges and to control maintenance and utility operations for instances, databases, and database objects.

Database-level authorization

The security administrator (SECADM), database administrator (DBADM), access control (ACCESSCTRL), data access (DATAACCESS), SQL administrator (SQLADM), workload management administrator (WLMADM), and explain (EXPLAIN) authorities provide control within the database. Other database authorities include LOAD (ability to load data into a table), and CONNECT (ability to connect to a database).

Object-level authorization

Object level authorization involves checking privileges when an operation is performed on an object. For example, to select from a table a user must have SELECT privilege on a table (as a minimum).

Content-based authorization

Views provide a way to control which columns or rows of a table specific users can read. Label-based access control (LBAC) determines which users have read and write access to individual rows and individual columns.

1 comment:

  1. IBM DB2 database mostly uses in Banking Sector companies. But a lot of hackers can hack the data. So, DataSunrise Provides the security package for DB2 database. For more information please visit the website. https://www.datasunrise.com/security/ibm-db2/

    ReplyDelete

ads