By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,262 Members | 1,161 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,262 IT Pros & Developers. It's quick & easy.

Newbee question - why no create user in DB2 ?

P: n/a
cmc
Hi, I 'm new to DB2 (from Oracle background) and have some fundamental
question.

In Oracle, you create user account "within the database" to let user to
logon to the database. There is no tie between the unix account (or other
operating system) and the oracle user account - you can logon to the server
machine dose not mean you can logon to the database implicitly.

However, I notice that there is no account creation in DB2 v8 UDB server.
1. So am I correct to say that everyone has an valid Unix (or any O/S)
account in the DB2 server machine will be able to connect to database
(authentication=SERVER)?
2. What if I only want few unix user be able to logon to the database to do
their job ? In other word, how do I restrict the implicit authentication
(based on the O/S) to only few user ?

Looks like my concept with oracle does not apply to DB2. Hope someone can
help. Thanks
Tom
Nov 12 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
DB2 does not have internal authentication ... authentication is provided
by the OS. But authorization IS provided by DB2 (as it is with other
rdmses). So once you are authenticated by the OS and by DB2, you must
use the internal authorization facilities of DB2 to grant access for
that user to objects, packages, etc.

Answers below.

cmc wrote:
Hi, I 'm new to DB2 (from Oracle background) and have some fundamental
question.

In Oracle, you create user account "within the database" to let user to
logon to the database. There is no tie between the unix account (or other
operating system) and the oracle user account - you can logon to the server
machine dose not mean you can logon to the database implicitly.

However, I notice that there is no account creation in DB2 v8 UDB server.
1. So am I correct to say that everyone has an valid Unix (or any O/S)
account in the DB2 server machine will be able to connect to database
(authentication=SERVER)?
No. You must either have a priviledge to connect.
2. What if I only want few unix user be able to logon to the database to do
their job ? In other word, how do I restrict the implicit authentication
(based on the O/S) to only few user ?
There is no implicit authorization for "normal" users. If they are
sysadmin, that is a different story. But for just plain old users, they
must be given the right priviledge in DB2. See the GRANT command.
Looks like my concept with oracle does not apply to DB2. Hope someone can
help. Thanks
Tom

Larry Edelstein
Nov 12 '05 #2

P: n/a
Larry wrote:
DB2 does not have internal authentication ... authentication is provided
by the OS. But authorization IS provided by DB2 (as it is with other
rdmses). So once you are authenticated by the OS and by DB2, you must
use the internal authorization facilities of DB2 to grant access for
that user to objects, packages, etc.


The basic, underlying idea in DB2 is to not have two instances that are
responsible for authentication (OS and DBMS). To further support that
approach you can implement your own user exit that does the authentication
in whichever way you like.

--
Knut Stolze
Information Integration
IBM Germany / University of Jena
Nov 12 '05 #3

P: n/a
cmc
I assume the first point refer to central User Authentication management.

But not quite understand the second point. Can you further elaborate ?

Do you mean application developer can use USER Exit to call the
authentication API to the OS (or the API facility like LDAP) ?

Thanks
Tom

"Knut Stolze" <st****@de.ibm.com> wrote in message
news:d3**********@fsuj29.rz.uni-jena.de...
Larry wrote:
DB2 does not have internal authentication ... authentication is provided
by the OS. But authorization IS provided by DB2 (as it is with other
rdmses). So once you are authenticated by the OS and by DB2, you must
use the internal authorization facilities of DB2 to grant access for
that user to objects, packages, etc.


The basic, underlying idea in DB2 is to not have two instances that are
responsible for authentication (OS and DBMS). To further support that
approach you can implement your own user exit that does the authentication
in whichever way you like.

--
Knut Stolze
Information Integration
IBM Germany / University of Jena

Nov 12 '05 #4

P: n/a
cmc wrote:
I assume the first point refer to central User Authentication management.

But not quite understand the second point. Can you further elaborate ?

Do you mean application developer can use USER Exit to call the
authentication API to the OS (or the API facility like LDAP) ?

Thanks
Tom

"Knut Stolze" <st****@de.ibm.com> wrote in message
news:d3**********@fsuj29.rz.uni-jena.de...
Larry wrote:

DB2 does not have internal authentication ... authentication is provided
by the OS. But authorization IS provided by DB2 (as it is with other
rdmses). So once you are authenticated by the OS and by DB2, you must
use the internal authorization facilities of DB2 to grant access for
that user to objects, packages, etc.


The basic, underlying idea in DB2 is to not have two instances that are
responsible for authentication (OS and DBMS). To further support that
approach you can implement your own user exit that does the authentication
in whichever way you like.

--
Knut Stolze
Information Integration
IBM Germany / University of Jena


Not the app-developer, but the DBA can set it up.
Search for "Security Plugin" in Information Center

Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.