Hi-
Is there any way of restricting access to a database by application &
account? For example, I only want the application APP1 to access the
database using the USER1 account. I've tried to use the DB2 Governor to
do this, but it seems it always allows the the first query to be
processed before forcing the connection. Here is my db2gov config
file:
--- start config
interval 1; dbname sample; account 30;
desc "Force any USER1 account access"
authid USER1
setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1
action force;
desc "Allow USER1 user from APP1"
authid USER1
applname APP1
setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
--- end config
Is there any other way of accomplishing this?
Thanks,
Todd 5 2971
I think your second rule negates the first.
Values of -1 means ignore whatever rules for limits specified before. In
your case, rowsread, idle, cpu, rowssel and uowtime previously set limits
are ignored because of the last rule.
The way you have set the rule (1) it forces the USER1 if it is logged on.
The way rule (2) is set, it negates rule (1) and then forces only if USER1
uses APP1 but not USER1 if it uses another appl.
If you only want USER1 and APP1 to access, then remove authid USER1 line
from rule (1). This will force any other id using any other appl.
Then rule (2) will allow USER1 using only APP1
Add a rule with the same restriction as your rule (2) but remove the
applname limit and change the authid to specify the DBa's and SYSADMIN's id.
This way, everybody gets forced off except USER1 and the DBA's and/or
SYSADMIN. It should lok like this:
--- start config
interval 1; dbname sample; account 30;
desc "Force any BODY off account access"
setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1
action force;
desc "Allow USER1 user from APP1"
authid USER1
applname APP1
setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
desc "Let DBA's and SYSADMIN on"
authid <dbas>, <sysadmins>
setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Also note that the connection will most of the time be honored and some work
may start as the governor may not be "awake" as the connection starts.
HTH, Pierre.
--
Pierre Saint-Jacques
SES Consultants Inc.
514-737-4515
<to********@yah oo.com> a écrit dans le message de news: 11************* *********@g44g2 00...legr oups.com... Hi-
Is there any way of restricting access to a database by application & account? For example, I only want the application APP1 to access the database using the USER1 account. I've tried to use the DB2 Governor to do this, but it seems it always allows the the first query to be processed before forcing the connection. Here is my db2gov config file:
--- start config interval 1; dbname sample; account 30;
desc "Force any USER1 account access" authid USER1 setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Is there any other way of accomplishing this?
Thanks, Todd
Pierre-
Thanks for the reply. I apologize for not make myself clear. I didn't
want to restrict access to the database only to that userid and
application, I wanted to restrict access in such a way that only USER1
would be able to access with that specific APP1 application, any other
application that attempted to access with the USER1 account would be
immediately forced or otherwise denied access. Other accounts would
have free access using any application.
Your last comment indicates that the governor won't work, and my tests
show the same thing: a small portion of work will be done before the
governor forces the application, even including returning a full result
set if the query is < 1 second. I'd like to completely deny access to
USER1 if they attempt to connect with any other application other than
APP1. Is there any way to do this?
Thanks,
Todd
Pierre Saint-Jacques wrote: I think your second rule negates the first. Values of -1 means ignore whatever rules for limits specified before. In your case, rowsread, idle, cpu, rowssel and uowtime previously set limits are ignored because of the last rule.
The way you have set the rule (1) it forces the USER1 if it is logged on. The way rule (2) is set, it negates rule (1) and then forces only if USER1 uses APP1 but not USER1 if it uses another appl.
If you only want USER1 and APP1 to access, then remove authid USER1 line from rule (1). This will force any other id using any other appl. Then rule (2) will allow USER1 using only APP1
Add a rule with the same restriction as your rule (2) but remove the applname limit and change the authid to specify the DBa's and SYSADMIN's id. This way, everybody gets forced off except USER1 and the DBA's and/or SYSADMIN. It should lok like this: --- start config interval 1; dbname sample; account 30;
desc "Force any BODY off account access" setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
desc "Let DBA's and SYSADMIN on" authid <dbas>, <sysadmins> setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Also note that the connection will most of the time be honored and some work may start as the governor may not be "awake" as the connection starts.
HTH, Pierre.
-- Pierre Saint-Jacques SES Consultants Inc. 514-737-4515 <to********@yah oo.com> a écrit dans le message de news: 11************* *********@g44g2 00...legr oups.com... Hi-
Is there any way of restricting access to a database by application & account? For example, I only want the application APP1 to access the database using the USER1 account. I've tried to use the DB2 Governor to do this, but it seems it always allows the the first query to be processed before forcing the connection. Here is my db2gov config file:
--- start config interval 1; dbname sample; account 30;
desc "Force any USER1 account access" authid USER1 setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Is there any other way of accomplishing this?
Thanks, Todd
Not that I can think of for the moment but let me ponder.
Regards, Pierre.
--
Pierre Saint-Jacques
SES Consultants Inc.
514-737-4515
<to********@yah oo.com> a écrit dans le message de news: 11************* *********@g47g2 00...legr oups.com...
Pierre-
Thanks for the reply. I apologize for not make myself clear. I didn't
want to restrict access to the database only to that userid and
application, I wanted to restrict access in such a way that only USER1
would be able to access with that specific APP1 application, any other
application that attempted to access with the USER1 account would be
immediately forced or otherwise denied access. Other accounts would
have free access using any application.
Your last comment indicates that the governor won't work, and my tests
show the same thing: a small portion of work will be done before the
governor forces the application, even including returning a full result
set if the query is < 1 second. I'd like to completely deny access to
USER1 if they attempt to connect with any other application other than
APP1. Is there any way to do this?
Thanks,
Todd
Pierre Saint-Jacques wrote: I think your second rule negates the first. Values of -1 means ignore whatever rules for limits specified before. In your case, rowsread, idle, cpu, rowssel and uowtime previously set limits are ignored because of the last rule.
The way you have set the rule (1) it forces the USER1 if it is logged on. The way rule (2) is set, it negates rule (1) and then forces only if USER1 uses APP1 but not USER1 if it uses another appl.
If you only want USER1 and APP1 to access, then remove authid USER1 line from rule (1). This will force any other id using any other appl. Then rule (2) will allow USER1 using only APP1
Add a rule with the same restriction as your rule (2) but remove the applname limit and change the authid to specify the DBa's and SYSADMIN's id. This way, everybody gets forced off except USER1 and the DBA's and/or SYSADMIN. It should lok like this: --- start config interval 1; dbname sample; account 30;
desc "Force any BODY off account access" setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
desc "Let DBA's and SYSADMIN on" authid <dbas>, <sysadmins> setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Also note that the connection will most of the time be honored and some work may start as the governor may not be "awake" as the connection starts.
HTH, Pierre.
-- Pierre Saint-Jacques SES Consultants Inc. 514-737-4515 <to********@yah oo.com> a écrit dans le message de news: 11************* *********@g44g2 00...legr oups.com... Hi-
Is there any way of restricting access to a database by application & account? For example, I only want the application APP1 to access the database using the USER1 account. I've tried to use the DB2 Governor to do this, but it seems it always allows the the first query to be processed before forcing the connection. Here is my db2gov config file:
--- start config interval 1; dbname sample; account 30;
desc "Force any USER1 account access" authid USER1 setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Is there any other way of accomplishing this?
Thanks, Todd
You haven't stated how APP1 accesses the database.
USER1 can access the database using one of two access authorizations.
1. USER1 was granted access to the tables.
2. USER1 is granted USE of a bound package that has authority to access
the database. This technique is usually used with static SQL. The
package binder has the authorities to the underlying tables which the
user has no direct access to. Access to the package can be limited to
USER1 so others can't do what that user is authorized to do. USER1 is
not given any access to other packages accessing the database, or the
underlying tables.
The second case does not restrict access from the package binder. This
would normally be a dba who would have access to the tables anyway.
Phil Sherman to********@yaho o.com wrote: Pierre-
Thanks for the reply. I apologize for not make myself clear. I didn't want to restrict access to the database only to that userid and application, I wanted to restrict access in such a way that only USER1 would be able to access with that specific APP1 application, any other application that attempted to access with the USER1 account would be immediately forced or otherwise denied access. Other accounts would have free access using any application.
Your last comment indicates that the governor won't work, and my tests show the same thing: a small portion of work will be done before the governor forces the application, even including returning a full result set if the query is < 1 second. I'd like to completely deny access to USER1 if they attempt to connect with any other application other than APP1. Is there any way to do this?
Thanks, Todd
Pierre Saint-Jacques wrote:
I think your second rule negates the first. Values of -1 means ignore whatever rules for limits specified before. In your case, rowsread, idle, cpu, rowssel and uowtime previously set limits are ignored because of the last rule.
The way you have set the rule (1) it forces the USER1 if it is logged on. The way rule (2) is set, it negates rule (1) and then forces only if USER1 uses APP1 but not USER1 if it uses another appl.
If you only want USER1 and APP1 to access, then remove authid USER1 line from rule (1). This will force any other id using any other appl. Then rule (2) will allow USER1 using only APP1
Add a rule with the same restriction as your rule (2) but remove the applname limit and change the authid to specify the DBa's and SYSADMIN's id. This way, everybody gets forced off except USER1 and the DBA's and/or SYSADMIN. It should lok like this: --- start config interval 1; dbname sample; account 30;
desc "Force any BODY off account access" setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
desc "Let DBA's and SYSADMIN on" authid <dbas>, <sysadmins> setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1;
--- end config
Also note that the connection will most of the time be honored and some work may start as the governor may not be "awake" as the connection starts.
HTH, Pierre.
-- Pierre Saint-Jacques SES Consultants Inc. 514-737-4515 <to********@y ahoo.com> a écrit dans le message de news: 11*********** ***********@g44 g2000cwa.google groups.com...
Hi-
Is there any way of restricting access to a database by application & account? For example, I only want the application APP1 to access the database using the USER1 account. I've tried to use the DB2 Governor to do this, but it seems it always allows the the first query to be processed before forcing the connection. Here is my db2gov config file:
--- start config interval 1; dbname sample; account 30;
desc "Force any USER1 account access" authid USER1 setlimit rowsread 1 idle 1 cpu 1 rowssel 1 uowtime 1 action force;
desc "Allow USER1 user from APP1" authid USER1 applname APP1 setlimit rowsread -1 idle -1 cpu -1 rowssel -1 uowtime -1; --- end config
Is there any other way of accomplishing this?
Thanks, Todd
For LUW, it's GRANT EXECUTE, not USE on package..
-Eugene This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Paul |
last post by:
Hi all, at present I I've built a website which can be updated by admin and
users.
My problem, I've combined "log in" and "access levels" to restrict access to
certain pages, using the built in "log in" and "user authentication,
restrict access to page" features. But I find the after login I constantly
get redirected from the restricted pages.
|
by: Olivier Sauterel |
last post by:
Hi all,
Anyone can tell me if it's possible to restrict the access of a classes
library (dll .NET) ?
For sample restrict the possibility to explore all classes and there
features into the object explorer from VS.Net or
restrict the use of that library from another program, because this library
will be distribued with an application, and
i don't want to share the library functions ... otherwise, anyone can
|
by: tweak |
last post by:
Can someone give me a short example as how to best use this keyword in
your code?
This is my understanding: by definition restrict sounds like it is
suppose to restrict access to memory location(s) pointed to, so that
only one declared pointer can store that address and access the data in
those memory blocks, where I the data in those location(s) can be changed.
Is that a correct understanding?
|
by: ad |
last post by:
I want to restrict only a range of ip can access my web application.
How can I do that ?
|
by: Me |
last post by:
I'm trying to wrap my head around the wording but from what I think the
standard says:
1. it's impossible to swap a restrict pointer with another pointer,
i.e.
int a = 1, b = 2;
int * restrict ap = &a;
int * restrict bp = &b;
| |
by: Niu Xiao |
last post by:
I see a lot of use in function declarations, such as
size_t fread(void* restrict ptr, size_t size, size_t nobj, FILE*
restrict fp);
but what does the keyword 'restrict' mean? there is no definition found
in K&R 2nd.
|
by: Frederick Gotham |
last post by:
I'm going to be using an acronym a lot in this post:
IINM = If I'm not mistaken
Let's say we've got translation units which are going to be compiled to
object files, and that these object files will be supplied to people to link
with their own projects. Here's a sample function in one of the object files:
void Func(int const *const p)
{
|
by: rainy6144 |
last post by:
Does the following code have defined behavior?
double *new_array(unsigned n)
{
double *p = malloc(n * sizeof(double));
unsigned i;
for (i = 0; i < n; i++) p = 0.0;
return p;
}
|
by: raashid bhatt |
last post by:
what is restrict keyword used for?
eg int *restrict p;
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |