Hi,
I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.
What should be done to prevent the normal user from creating any
objects?
When i try "revoke createin on schema UCLDEV1 from ucldev1", it says
that it doesn't hold the privilege.
Also, this user is member of staff and db2grp1, and whenever i try to
do "revoke createtab on database from db2grp1", it again says that
"db2grp1 doesn't hold that priveledge"
What should be done?
$ db2 get authorizations
Administrative Authorizations for Current User
Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL_ROUTINE authority = NO
Direct SYSMON authority = NO
Indirect SYSADM authority = YES
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL_ROUTINE authority = NO
Indirect SYSMON authority = NO
$ db2
(c) Copyright IBM Corporation 1993,2002
Command Line Processor for DB2 ADCL 9.1.2
You can issue database manager commands and SQL statements from the
command
prompt. For example:
db2 =connect to sample
db2 =bind sample.bnd
For general help, type: ?.
For command help, type: ? command, where command can be
the first few keywords of a database manager command. For example:
? CATALOG DATABASE for help on the CATALOG DATABASE command
? CATALOG for help on all of the CATALOG commands.
To exit db2 interactive mode, type QUIT at the command prompt. Outside
interactive mode, all commands must be prefixed with 'db2'.
To list the current command option settings, type LIST COMMAND
OPTIONS.
For more detailed help, refer to the Online Reference Manual.
db2 =create table ucldev1.test12(var Integer)
DB20000I The SQL command completed successfully.
db2 =drop table ucldev1.test12
DB20000I The SQL command completed successfully.
5  9360 
Rahul B wrote:
Hi,
I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.
Indirect authorizations are authorizations that the user holds due to group
memberships. Since SYSADM etc. are defined via groups in the DBM CFG, a
user may have this authorization indirect. (And not all users are SYSADM
by default.)
What should be done to prevent the normal user from creating any
objects?
Revoke the respective privileges, for example CREATETAB, CREATEIN from the
user and all groups that the user belongs to. Note that each user belongs
automatically to the group PUBLIC. Furthermore, if a user has SYSADM
authorization, he can do pretty much anything anyway.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
On Aug 22, 1:35 pm, Knut Stolze <sto...@de.ibm.comwrote:
Rahul B wrote:
Hi,
I am having the following issues while trying to restrict the current
user from creating any objects.
Below is the privileges for the user and response when i try to create
a table in that user.
Can anybody tell what is the difference between DIRECT SYSADM and
Indirect SYSADM and why is Indirect SYSADM is assigned to user by
default.
Indirect authorizations are authorizations that the user holds due to group
memberships. Since SYSADM etc. are defined via groups in the DBM CFG, a
user may have this authorization indirect. (And not all users are SYSADM
by default.)
What should be done to prevent the normal user from creating any
objects?
Revoke the respective privileges, for example CREATETAB, CREATEIN from the
user and all groups that the user belongs to. Note that each user belongs
automatically to the group PUBLIC. Furthermore, if a user has SYSADM
authorization, he can do pretty much anything anyway.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Thanks Knut,
One more issue.
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
Thanks.
Rahul
Is it possible to revoke
Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.
p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
On Aug 22, 4:46 pm, Knut Stolze <sto...@de.ibm.comwrote:
Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.
p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Yes,
I have started working on DB2 only recently, and i am not very clear
on authorization and privs.
Rahul
So,
SYSADM is not a database level privilege, it's an instance wide
authorization level. It is not granted, it is defined in the database
manager configuration. Check out the GET DBM CFG and UPDATE DBM CFG
commands (parameter is SYSADM_GROUP).
DBADM is a database privilege, and can be granted and revoked.
On a per schema level, you can grant CREATE, ALTER, DROP of objects in
that schema. Those privileges can be revoked. Worth noting is that
the user will maintain some privileges, notably CONTROL, on the tables
they created. That will have to be revoked separately on a table-by-
table basis.
/T
On Aug 22, 6:34 am, Rahul B <rahul.babb...@gmail.comwrote:
On Aug 22, 4:46 pm, Knut Stolze <sto...@de.ibm.comwrote:
Rahul B wrote:
If i create a schema(SchemaA) and give authorization of that schema to
a particular user(A).
That way, the user A will be given Direct SYSADM and Direct DBADM
privileges.
What do you mean with "that way"? The user doesn't get SYSADM and/or DBADM
authorization just because you gave him/her some privileges on a schema.
but later on , i decide that i should not allow A to create objects in
SchemaA.
Is it possible for me to revoke the priviledge to create new objects
from A(even though when i created the SchemaA, i made A the owner of
the schema).
In other words, can i change the authorization of schemaA from user A
to Admn user, after the schema has been created?
You can use the TRANSFER OWNERSHIP statement to transfer the ownership of a
schema from one user to another.
p.s: I get the feeling that authorizations and privileges are not very clear
yet for you.
--
Knut Stolze
DB2 z/OS Utilities Development
IBM Germany
Yes,
I have started working on DB2 only recently, and i am not very clear
on authorization and privs.
Rahul- Hide quoted text -
- Show quoted text -
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Christopher Burns |
last post by:
Hi all,
We are using VB.NET (VS2K3), sitting on VSS6. I have sorted out a
configuration problem that was preventing us from building from scratch for
new developers, but now I am having a very...
|
by: Thiru |
last post by:
Hi,
I want to assign SYSADM privileges to user say XYZ. I know that this
privileges can't be assigned directly using grant command. But can be
acheived by assigning the privileges to group and...
|
by: virgilio |
last post by:
Hi all,
"Administrator Guide Implementation" DB2 8.2, chapter 7, section
"Indirect privileges through a package" states:
(highlight >>>>!!!<<<<)
"Privileges granted to individuals binding the...
|
by: James |
last post by:
I am looking for a way to delete indirect children records when a root
record is removed. The same action that occurs if you delete a
directory that contains sub directories of sub directories.
...
|
by: ganeshb |
last post by:
Hi,
What C statement(s) would translate to indirect jmp in assembly? I know
that function pointer invocation would translate to indirect 'call'
instruction, but I am not sure what will lead to...
|
by: li_zy |
last post by:
Hello , everyone !
It is appreciated that someone tell me what's the difference between
direct SYSADM authority and indirect SYSADM authority .
I am running a DB2 v8.1 fix9 on a linux server...
|
by: Michael Rudolph |
last post by:
Hi,
at the moment i try to use the federated database feature (DB2/NT 8.2.3)
to use a remote host db2 (DB2 OS/390 7.1.2).
I am unsure what privileges are needed for the host db2 user.
A...
|
by: Bob Stearns |
last post by:
I just created a new user and granted connect and select on a single
view, only. When I connect to my database, the new user has at least
select privileges on the whole database. What am I doing...
|
by: melissa24 |
last post by:
I have installed IBM DB2 UDB V 7.2. The default user id created was db2admin. But when I try to restore database from another db serv, I get an error saying SYSADM authority is required to perform...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| | |
