Re: tough choices

"Larry" <Larry_at_nospam.net> wrote in message news:cbdcnv$f0q$1_at_news.btv.ibm.com...
> Noons,
>
> I can't answer all of your questions. Perhaps someone else on the list
can.
>
> Noons wrote:
>
> > Larry apparently said,on my timestamp of 24/06/2004 1:59 AM:
> >
> >> Yes ... priviledges can be granted via SQL Grant and Revoke to groups
> >> ... and it works for tables, views, indexes, packages, UDFs, Stored
> >> Procs, etc.
> >
> >
> > Indexes? I think you are overstating the features right there... :)
> > Or perhaps you are quoting a feature that only exists in the mainframe
> > version?
>
> Specifically in the index area, DB2 UDB provides the ability to grant
> the privilege to create an index on a table, or an index specification
> on a nickname. Not talking mainframe or DB2/400 at all here. See the DB2
> SQL Reference under the Grant statement.
> >
> > Good. So how do you map that to a user that was verified externally?
> > Say for example I login as "BLOGGSJ", which the external security
attached
> > to group "OZZIE"? Do I have to have "OZZIE" defined BOTH in DB2
> > AND the external security?
>
> No. Just GRANT required priviledge to group OZZIE via GRANT statement.
>
> >
> > Better yet: can I login to the external security AND the database
> > as a member of group "USERS", get a SP to check who I am and what I
> > want to do and then give my logon the db group "OZZIE" and its rights
> > according to the contents of a config table?
> >
> GRANT can be embedded in an application program. Don't know for sure if
> this can be done ... perhaps someone from Toronto knows.

Authentication of external users is possible, you can even write your own user exits to acheive this.
Authorization happens in the engine through grant statements. Yes you can embed grants in any application sql. Also, usually static sql coming from applications uses package level security.

> > And another point: can you associate group security by GRANT
> > across schemas? As in granting a given set of tables from schema A
> > AND schema B to a single group "OZZIE"?
>
> One can GRANT schema priviledges, and GROUP can be specfied in that
> GRANT statement.
>
> >
> > Because I'll tell you what: I had a copy of DB2 UDB in my PC for
> > most of last year and for the life of me I could not find out
> > how to do it... Then again: please stay within the only version of
> > DB2 that deserves the name of UDB, OK? I don't give two hoots
> > what DB2/zos or DB2/AS400 does or will do in version 32.
>
> Don't know what versions deserve the name of UDB. But I am talking about
> DB2 UDB for Intel/UNIX/Linux.

If there is still confusion.. think of it as this.. DB2 on distributed platforms is UDB .. rest is Host DB2.. this again is not too far from what oracle does.. fyi.

>
> Larry Edelstein
>
Received on Wed Jun 23 2004 - 21:32:31 CDT