473,597 Members | 2,829 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

DB2 privileges, Direct and Indirect SYSADM

Hi,

I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.

What should be done to prevent the normal user from creating any
objects?

When i try "revoke createin on schema UCLDEV1 from ucldev1", it says
that it doesn't hold the privilege.

Also, this user is member of staff and db2grp1, and whenever i try to
do "revoke createtab on database from db2grp1", it again says that
"db2grp1 doesn't hold that priveledge"

What should be done?

$ db2 get authorizations

Administrative Authorizations for Current User

Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL _ROUTINE authority = NO
Direct SYSMON authority = NO

Indirect SYSADM authority = YES
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL _ROUTINE authority = NO
Indirect SYSMON authority = NO

$ db2
(c) Copyright IBM Corporation 1993,2002
Command Line Processor for DB2 ADCL 9.1.2

You can issue database manager commands and SQL statements from the
command
prompt. For example:
db2 =connect to sample
db2 =bind sample.bnd

For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
? CATALOG DATABASE for help on the CATALOG DATABASE command
? CATALOG for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND
OPTIONS.

For more detailed help, refer to the Online Reference Manual.

db2 =create table ucldev1.test12( var Integer)
DB20000I The SQL command completed successfully.
db2 =drop table ucldev1.test12
DB20000I The SQL command completed successfully.

Aug 22 '07 #1
5 9390
Rahul B wrote:
Hi,

I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.
Indirect authorizations are authorizations that the user holds due to group
memberships. Since SYSADM etc. are defined via groups in the DBM CFG, a
user may have this authorization indirect. (And not all users are SYSADM
by default.)
What should be done to prevent the normal user from creating any
objects?
Revoke the respective privileges, for example CREATETAB, CREATEIN from the
user and all groups that the user belongs to. Note that each user belongs
automatically to the group PUBLIC. Furthermore, if a user has SYSADM
authorization, he can do pretty much anything anyway.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Aug 22 '07 #2
On Aug 22, 1:35 pm, Knut Stolze <sto...@de.ibm. comwrote:
Rahul B wrote:
Hi,
I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.

Indirect authorizations are authorizations that the user holds due to group
memberships. Since SYSADM etc. are defined via groups in the DBM CFG, a
user may have this authorization indirect. (And not all users are SYSADM
by default.)
What should be done to prevent the normal user from creating any
objects?

Revoke the respective privileges, for example CREATETAB, CREATEIN from the
user and all groups that the user belongs to. Note that each user belongs
automatically to the group PUBLIC. Furthermore, if a user has SYSADM
authorization, he can do pretty much anything anyway.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Thanks Knut,

One more issue.
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
but later on , i decide that i should not allow A to create objects in
SchemaA.

Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?

Thanks.

Rahul
Is it possible to revoke

Aug 22 '07 #3
Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.

Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.

p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Aug 22 '07 #4
On Aug 22, 4:46 pm, Knut Stolze <sto...@de.ibm. comwrote:
Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.

What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?

You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.

p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.

--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Yes,
I have started working on DB2 only recently, and i am not very clear
on authorization and privs.

Rahul

Aug 22 '07 #5
So,

SYSADM is not a database level privilege, it's an instance wide
authorization level. It is not granted, it is defined in the database
manager configuration. Check out the GET DBM CFG and UPDATE DBM CFG
commands (parameter is SYSADM_GROUP).

DBADM is a database privilege, and can be granted and revoked.

On a per schema level, you can grant CREATE, ALTER, DROP of objects in
that schema. Those privileges can be revoked. Worth noting is that
the user will maintain some privileges, notably CONTROL, on the tables
they created. That will have to be revoked separately on a table-by-
table basis.

/T

On Aug 22, 6:34 am, Rahul B <rahul.babb...@ gmail.comwrote:
On Aug 22, 4:46 pm, Knut Stolze <sto...@de.ibm. comwrote:


Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.
p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany

Yes,
I have started working on DB2 only recently, and i am not very clear
on authorization and privs.

Rahul- Hide quoted text -

- Show quoted text -

Aug 23 '07 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
4236
by: Christopher Burns | last post by:
Hi all, We are using VB.NET (VS2K3), sitting on VSS6. I have sorted out a configuration problem that was preventing us from building from scratch for new developers, but now I am having a very odd references problem. Here is the scoop. I will make this brief, and if more info is needed please let me know... I don't want to ramble, as the details are vast. :) There are 3 projects involved in this issue, and it appears to be a...
1
3621
by: Thiru | last post by:
Hi, I want to assign SYSADM privileges to user say XYZ. I know that this privileges can't be assigned directly using grant command. But can be acheived by assigning the privileges to group and then inturn assign the user to the group? Does this group mean OS level group or something else? plz tell me how to do that? For Your Information --------------------
2
2188
by: virgilio | last post by:
Hi all, "Administrator Guide Implementation" DB2 8.2, chapter 7, section "Indirect privileges through a package" states: (highlight >>>>!!!<<<<) "Privileges granted to individuals binding the package and to PUBLIC are used for authorization checking when static SQL is bound. Privileges granted through groups are >>>>not!!!!<<<< used for authorization checking when static SQL is bound. The user with a valid authID who binds a package...
1
1713
by: James | last post by:
I am looking for a way to delete indirect children records when a root record is removed. The same action that occurs if you delete a directory that contains sub directories of sub directories. The Relationship Integerity and Cascade Delete features works well with direct relationships, but I can't get it to work for my situation. For example:
13
6923
by: ganeshb | last post by:
Hi, What C statement(s) would translate to indirect jmp in assembly? I know that function pointer invocation would translate to indirect 'call' instruction, but I am not sure what will lead to indirect jmp (eg. jmp <register>). Ganesh
3
3116
by: li_zy | last post by:
Hello , everyone ! It is appreciated that someone tell me what's the difference between direct SYSADM authority and indirect SYSADM authority . I am running a DB2 v8.1 fix9 on a linux server . I can only make a user get an indirect SYSADM authority . How can a user get a direct SYSADM authority ?
3
6556
by: Michael Rudolph | last post by:
Hi, at the moment i try to use the federated database feature (DB2/NT 8.2.3) to use a remote host db2 (DB2 OS/390 7.1.2). I am unsure what privileges are needed for the host db2 user. A select on SYSIBM.SYSTABLES and on the tables where the data resides as mentioned in the following URL is successful.
14
1703
by: Bob Stearns | last post by:
I just created a new user and granted connect and select on a single view, only. When I connect to my database, the new user has at least select privileges on the whole database. What am I doing wrong or misunderstanding? How do I discover all the privileges granted on my database? How do I revoke all privileges and then restore just the ones I want? Does public get any privileges by default?
1
19878
by: melissa24 | last post by:
I have installed IBM DB2 UDB V 7.2. The default user id created was db2admin. But when I try to restore database from another db serv, I get an error saying SYSADM authority is required to perform this task. Can someone please help?
0
7967
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look ! Part I. Meaning of...
0
7885
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8272
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
8031
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
6687
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
5428
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
3882
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
2403
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1493
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.