Bookmark and Share
RSS

Recent Posts

Administrative and Install Level Authorities

February 07, 2017

One big change in DB2 12 is the new install SYSOPR authority. Using install SYSOPR instead of SYSADM allows systems programmers to install or migrate DB2 without having access to user objects and user data.

With this in mind, if you're new to DB2 security or just need a refresher, the following information explains DB2 privileges, groups of privileges (called administrative authorities), and install administrative authorities set within system parameters.

Access  can be controlled within DB2 by granting or revoking privileges and related authorities that are assigned to an authorization-id or role. A privilege enables its holder to perform a specific operation, sometimes on a specific object.

Privileges can be explicit or implicit. An explicit privilege is a specific type of privilege. Each explicit privilege has a name and is the result of GRANT or REVOKE statement. For example, the SELECT privilege on a table or view is an explicit privilege granted to an authorization-id or role to read data from the table.

An implicit privilege comes from the ownership of objects, including plans and packages. An example of an implicit privilege is when an object such as a table is created, the owner is authorized to use the SELECT statement to read data from the specific table. The owner is also authorized to GRANT the SELECT privilege on the table to another authorization ID or role.

An administrative authority is a set of privileges, often covering a related set of objects. Authorities often include privileges that are not explicit, have no name and cannot be specifically granted. For example, when an ID is granted the SYSOPR administrative authority, the ID is implicitly grants the ability to terminate any utility job.

Using the DCL GRANT statement, DB2 has a very robust set of security privileges in these areas:
  • Collection
  • Function or procedures
  • Schema
  • Sequence
  • System
  • Table or view
  • Type or JAR file
  • Variable
  • User

Within DB2, privileges are grouped into administrative authorities, and each administrative authority contains a specific set of privileges.

These are administrative authorities with system privileges:
  • ACCESSCTRL
  • DATAACCESS
  • DBADM
  • SQLADM
  • SYSADM
  • SYSCTRL
  • SYSOPR

These authorities are assigned to either a given authorization-id, role or PUBLIC using this GRANT statement:

GRANT <system-privilege> ON SYSTEM TO authorization-id | role | public

There are three administrative authorities with database privileges:
  • DBADM
  • DBCTRL
  • DBMAINT
These authorities are assigned to either a given authorization-id, role or PUBLIC using this GRANT statement:

GRANT <db privilege> ON DATABASE <db-name> TO authorization-id | role | public

A single administrative authority?PACKADM?has collection privileges. PACKADM is assigned to either a given authorization-id, role or PUBLIC using this GRANT statement:

GRANT PACKADM ON COLLECTION collection-ID TO authorization-id | role | public
INSTALL SYSADM, SYSOPR, SECADM

In addition to administrative authorities assigned using GRANT, DB2 has special administrative authorities assigned using installation system parameters. These are:
  • SYSADM
  • SYSOPR (new with DB2 12)
  • SECADM

These install administrative authorities are set using the DSNTIPP1 panel.

The system parameters used to set the SYSADM installation authority are SYSADM1 and SYSADM2. The value for these fields represent an authorization-id, which can be a primary or secondary group authid.

The system parameters used to set the SYSOPR installation authority are SYSOPR1 and SYSOPR2. The value for these fields represent an authorization-id, which can be a primary or secondary group authid.

The administrative authorities with security privileges CANNOT be assigned using the DCL GRANT statement. The only way to assign SECADM is through system parameters, also known as ZPARMs. Several system parameters are used to define two SECADMs for a given system. The SECADM authority can be either an authorization-id or role. These are set using SECADM1 and SECADM2 system parameters and the type of authorization-id is specified using SECADM1_TYPE and SECADM2_TYPE with a value of (AUTHID or ROLE).

Posted February 07, 2017 | Permalink

comments powered by Disqus