Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: tough choices

Re: tough choices

From: Pierre Saint-Jacques <>
Date: Fri, 25 Jun 2004 17:43:33 -0400
Message-ID: <901Dc.43764$>

Here goes:
In DB2 UDB for LUW, the is and password are always authenticated by the OS. I include here any add ons like LDAP support, Kerberos, ... The instance configuration on the server can specify where this authentication is done. See AUTHENTICATION (client, server, with or without encryption.)

Once verified, one can choose to have group memberships identified locally on the DB server or by a Domain server where the id was authenticated.

 From there on, DB2 takes over with DB, Object, Application security by using the GRANT command with or without grant option. The grant command can grant to one or more specific id, group or to a special group called PUBLIC. Public includes any id that comes back authenticated by the os.

Look at the following database catalog tables SYSDBAUTH, SYSTABLEAUTH, SYSVIEWAUTH,SYSINDEXAUTH, SYSPACKAGEAUTH and so on. They will have rows showing the object name, the grantor id, the grantee id(group or specific) as well as the typw of access (For tables, it would show insert,or update (all columns or selected columns) or select or delete or references or......

One DB privilege is implicit_schema which grants one to create objects (if one has been granted them) using any schema name. Another priviliege is o have createin,alterin,dropin in a specific schema. And yes, this can be granted to an id or a group.

So an id and/or a group can a multiple different types of privileges on one or more schema or objects at any point in time.

These privileges are verified at connect (which is aprivilege of itself)   time once and only once to determine what and at which level is this id and the groups to which it may belong can or cannot do.

HTH, Pierre.

Noons wrote:
> Larry apparently said,on my timestamp of 24/06/2004 12:04 PM:

>> Specifically in the index area, DB2 UDB provides the ability to grant 
>> the privilege to create an index on a table, or an index specification 
>> on a nickname. 

> I was talking about grants for access to objects. Administrative grants
> are a completely different thing.
>> No. Just GRANT required priviledge to group OZZIE via GRANT statement.

> Hmmm OK. Didn't look that way when I looked at it, but I'm willing to
> admit I didn't get all the details.
>> One can GRANT schema priviledges, and GROUP can be specfied in that 
>> GRANT statement.

> Yes, but can that group have privileges to portions of various
> schemas simultaneously?
>> Don't know what versions deserve the name of UDB. But I am talking 
>> about DB2 UDB for Intel/UNIX/Linux.

> Thanks. That makes it clear for me.
Pierre Saint-Jacques - Reply to:  sesconsjunk at attglobaljunk dot com
Reconstruct address:  Remove the two junk and replace at and dot by 
their symbols.
IBM DB2 Cerified Solutions Expert - Administration
SES Consultants Inc.
Received on Fri Jun 25 2004 - 16:43:33 CDT

Original text of this message