I feel like an idiot for asking this, but neither I nor my DBA can figure
this out.
How do you create a database object that does not implicitly allow access by
any defined user?
For instance, I have a user who has been granted only the CONNECT privilege
to a certain database. But he is still able to do selects and updates and
other things to tables created by another user. Everything I've read
indicates this should not be allowed; that the user must be granted these
privileges explicitly. What are we missing?
================================================== ==========
About DB2 Administration Tools Environment
================================================== ==========
DB2 administration tools level:
Product identifier SQL09050
Level identifier 03010107
Level DB2 v9.5.0.808
Build level s071001
PTF NT3295
================================================== ==========
Java development kit (JDK):
Level IBM Corporation 1.5.0
================================================== ==========
Here's some more things that show what I am attempting:
connect to securedb user fswarbri using
Database Connection Information
Database server = DB2/NT 9.5.0
SQL authorization ID = FSWARBRI
Local database alias = SECUREDB
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTNAME = 'SECTEST1'
AUTHID AUTHIDTYPE PRIVILEGE GRANTABLE OBJECTSCHEMA OBJECTNAME OBJECTTYPE
------------------ ----------- --------- ------------ ---------- ----------
OPSUSER U UPDATE Y OPSUSER SECTEST1 TABLE
OPSUSER U REFERENCE Y OPSUSER SECTEST1 TABLE
OPSUSER U SELECT Y OPSUSER SECTEST1 TABLE
OPSUSER U INSERT Y OPSUSER SECTEST1 TABLE
OPSUSER U INDEX Y OPSUSER SECTEST1 TABLE
OPSUSER U DELETE Y OPSUSER SECTEST1 TABLE
OPSUSER U ALTER Y OPSUSER SECTEST1 TABLE
OPSUSER U CONTROL N OPSUSER SECTEST1 TABLE
8 record(s) selected.
SELECT * FROM OPSUSER.SECTEST1
COL1
--------------------
123
456
987
3 record(s) selected.
As you can see, only OPSUSER has any privileges on OPSUSER.SECTEST1, and yet
user FSWARBRI is able to query on the table (and update it, for that
matter).
Thanks!
Frank
6  2785 
On Mar 4, 12:02 pm, "Frank Swarbrick" <Frank.Swarbr...@efirstbank.com>
wrote:
I feel like an idiot for asking this, but neither I nor my DBA can figure
this out.
How do you create a database object that does not implicitly allow access by
any defined user?
For instance, I have a user who has been granted only the CONNECT privilege
to a certain database. But he is still able to do selects and updates and
other things to tables created by another user. Everything I've read
indicates this should not be allowed; that the user must be granted these
privileges explicitly. What are we missing?
================================================== ==========
About DB2 Administration Tools Environment
================================================== ==========
DB2 administration tools level:
Product identifier SQL09050
Level identifier 03010107
Level DB2 v9.5.0.808
Build level s071001
PTF NT3295
================================================== ==========
Java development kit (JDK):
Level IBM Corporation 1.5.0
================================================== ==========
Here's some more things that show what I am attempting:
connect to securedb user fswarbri using
Database Connection Information
Database server = DB2/NT 9.5.0
SQL authorization ID = FSWARBRI
Local database alias = SECUREDB
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTNAME = 'SECTEST1'
AUTHID AUTHIDTYPE PRIVILEGE GRANTABLE OBJECTSCHEMA OBJECTNAME OBJECTTYPE
------------------ ----------- --------- ------------ ---------- ----------
OPSUSER U UPDATE Y OPSUSER SECTEST1 TABLE
OPSUSER U REFERENCE Y OPSUSER SECTEST1 TABLE
OPSUSER U SELECT Y OPSUSER SECTEST1 TABLE
OPSUSER U INSERT Y OPSUSER SECTEST1 TABLE
OPSUSER U INDEX Y OPSUSER SECTEST1 TABLE
OPSUSER U DELETE Y OPSUSER SECTEST1 TABLE
OPSUSER U ALTER Y OPSUSER SECTEST1 TABLE
OPSUSER U CONTROL N OPSUSER SECTEST1 TABLE
8 record(s) selected.
SELECT * FROM OPSUSER.SECTEST1
COL1
--------------------
123
456
987
3 record(s) selected.
As you can see, only OPSUSER has any privileges on OPSUSER.SECTEST1, and yet
user FSWARBRI is able to query on the table (and update it, for that
matter).
Thanks!
Frank
Could it be that you need to explicitly remove/revoke this user from
the PUBLIC role?
--Jeff
Now this is interesting. The DBA went in to one of the instances running on
Linux and did the following from Control Center:
Selected the group PUBLIC
Revoked all privileges for all types of objects (specifically SCHEMA and
PACKAGES. I don't think any tables has explicit rights to any tables.)
Granted back privileges for all packages owned by NULLID.
He also had to remove the user at an OS level from a certain group
(db2admin?).
And now the user is no longer able to access tables to which that user has
not been granted privileges.
But I tried the same thing on my Windows PC running DB2 Express-C (9.5) and
it is still not enforcing the restrictions.
Huh?
Frank
If a user has privileges to SELECT, DELETE, UPDATE, or INSERT data
without having gotten in diractly then the access must have been granted
to either a group (or role) the user belongs to or PUBLIC.
So, take a look at that end.
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Frank Swarbrick wrote:
db2admin? Well....
If you want to hide data from dbadm you will need to use LBAC.
(or encrypt)
Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
>>On 3/4/2008 at 2:42 PM, in message
<63*************@mid.individual.net>,
Serge Rielau<sr*****@ca.ibm.comwrote:
Frank Swarbrick wrote:
db2admin? Well....
If you want to hide data from dbadm you will need to use LBAC.
(or encrypt)
No, I was saying that the db2 removed the 'restricted' user for a certain
Linux group, and I believe that group was named 'db2admins'. But I'm
probably wrong...
Wow, even odder. Now things seem to be working fine on my work PC. I am
able to restrict the PUBLIC group appropriately and grant rights to specific
users as necessary.
Maybe last night's reboot cleared things up. Who knows! Oh well. I still
have no idea what I did to cause the problem, but...
Frank
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Amardeep Verma |
last post by:
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?
Thanking you in Advance
Have a nice day
|
by: Charles Cantrell |
last post by:
I have recently set up mySQL on a Mandrake release of Linux (Version 7 of
Mandrake, I believe), using the binary 4.0.13 standard release.
The set up and start up all were normal, as far as I...
|
by: virgilio |
last post by:
Hi all,
"Administrator Guide Implementation" DB2 8.2, chapter 7, section
"Indirect privileges through a package" states:
(highlight >>>>!!!<<<<)
"Privileges granted to individuals binding the...
|
by: tweak |
last post by:
Can someone give me a short example as how to best use this keyword in
your code?
This is my understanding: by definition restrict sounds like it is
suppose to restrict access to memory...
|
by: shorti |
last post by:
Here is an example of what I want to do (syntax might not be entirely
correct as this is just an example):
CREATE TABLE ParentA
(
name CHAR (6) NOT NULL;
address CHAR(64);
) IN CUSTOMER_TS...
|
by: Me |
last post by:
I'm trying to wrap my head around the wording but from what I think the
standard says:
1. it's impossible to swap a restrict pointer with another pointer,
i.e.
int a = 1, b = 2;
int *...
|
by: Niu Xiao |
last post by:
I see a lot of use in function declarations, such as
size_t fread(void* restrict ptr, size_t size, size_t nobj, FILE*
restrict fp);
but what does the keyword 'restrict' mean? there is no...
|
by: dion.naidoo |
last post by:
Hi ,is there any way one can restrict users to copy files with
extensions that we dont want on our networks or local pcs. Users are
local administrators of their pcs.
PS. If this is not possible...
|
by: EricBlair |
last post by:
Hello, I wrote a windows service that is supposed to start an interactive GUI app. I realize a service will not readily do this so I've pieced together the code below to bypass that. However, the...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
