This document discusses using trusted contexts and roles in DB2 to control elevated privileges. It provides two examples: 1) Allowing DBAs to manage objects they do not own by acting as the owner through a trusted context. This avoids issues with other users requesting access to shared security profiles. 2) Limiting when a batch scheduling tool has SYSADM access by defining a trusted context that only assigns the role and privileges when specific job name prefixes are used.
This document provides step-by-step instructions for integrating Dell iDRAC7 with Microsoft Active Directory using either standard or extended schema. Standard schema does not require extending the Active Directory schema but requires configuring privileges on each iDRAC. Extended schema requires extending the schema but only requires configuring privileges once for all iDRACs. The document outlines setting up a test environment including building a domain controller and promoting it, and provides details for configuring both standard and extended schema integrations.
The document summarizes new security features in Oracle Advanced Security for Oracle8i Release 8.1.6, including enhancements to encryption, authentication, authorization, and single sign-on. It provides stronger encryption algorithms, secures additional protocols like IIOP and JDBC, and adds support for SSL-based single sign-on and integration with directory services and PKI solutions like Entrust for centralized user management across databases.
This document introduces Active Directory Domain Services (AD DS) and discusses key concepts related to identity and access management. It explains that AD DS provides identity and access solutions for enterprises by storing user and system identity information, authenticating identities, and authorizing access to resources. The document outlines the authentication process and how access tokens and security descriptors are used to determine authorization. It positions Active Directory as centralizing the identity store to create a trusted domain model that solves management issues in a workgroup configuration.
This document provides an overview of administering Active Directory using snap-ins and the Microsoft Management Console. It describes the major Active Directory snap-ins, how to locate them, and how to perform basic administration tasks like creating and modifying objects using the Active Directory Users and Computers snap-in. It also covers installing the Remote Server Administration Tools to administer Active Directory from non-domain controllers.
This document provides an overview of a training module that introduces managing a Windows Server 2008 environment. It covers server roles, Active Directory, and administrative tools for Windows Server 2008. The module contains 4 lessons that discuss server roles, an overview of Active Directory including domains and forests, Windows Server 2008 administrative tools, and using Remote Desktop for administration. It concludes with a lab on administering Windows Server 2008.
Here are the key features of a read-only domain controller (RODC):
- Stores a read-only copy of the Active Directory database
- Provides authentication services for domain users and computers
- Caches user passwords and credentials to enable offline logons
- Supports delegation of administrative permissions to local administrators
- Enhances security by preventing direct database writes from untrusted networks
- Reduces costs by deploying lightweight domain controllers in branch offices
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-17
RODC Password Replication Policy
Key Points
The RODC password replication policy determines which user passwords are
cached on the
This document provides an overview of the Windows Azure platform. It describes the main components of Windows Azure including Compute, Storage, the Fabric Controller, Content Delivery Network, and Connect. It explains how developers can use these components to build scalable web and cloud applications, process large amounts of data in parallel, and integrate on-premises systems with the cloud. The document also provides examples of common application scenarios developed on Windows Azure and how applications are deployed and managed through the platform.
Here are brief introductions to the experts who provide commentary in the guide:
- Chris Tavares - One of the original creators of Unity and a Principal Program Manager at Microsoft. He
provides insights into the motivations and goals behind Unity's design.
- Dan Piessens - A software architect with experience customizing and extending Unity containers. He
shares lessons learned from real-world projects.
- David Britch - A developer who has used Unity in Windows Store apps. He discusses strategies for
dependency injection specific to that platform.
- Dominic Betts - A Principal Software Engineer and Unity expert. He helps explain core Unity concepts
and best practices.
- Fernando Simonazzi - A
This document provides step-by-step instructions for integrating Dell iDRAC7 with Microsoft Active Directory using either standard or extended schema. Standard schema does not require extending the Active Directory schema but requires configuring privileges on each iDRAC. Extended schema requires extending the schema but only requires configuring privileges once for all iDRACs. The document outlines setting up a test environment including building a domain controller and promoting it, and provides details for configuring both standard and extended schema integrations.
The document summarizes new security features in Oracle Advanced Security for Oracle8i Release 8.1.6, including enhancements to encryption, authentication, authorization, and single sign-on. It provides stronger encryption algorithms, secures additional protocols like IIOP and JDBC, and adds support for SSL-based single sign-on and integration with directory services and PKI solutions like Entrust for centralized user management across databases.
This document introduces Active Directory Domain Services (AD DS) and discusses key concepts related to identity and access management. It explains that AD DS provides identity and access solutions for enterprises by storing user and system identity information, authenticating identities, and authorizing access to resources. The document outlines the authentication process and how access tokens and security descriptors are used to determine authorization. It positions Active Directory as centralizing the identity store to create a trusted domain model that solves management issues in a workgroup configuration.
This document provides an overview of administering Active Directory using snap-ins and the Microsoft Management Console. It describes the major Active Directory snap-ins, how to locate them, and how to perform basic administration tasks like creating and modifying objects using the Active Directory Users and Computers snap-in. It also covers installing the Remote Server Administration Tools to administer Active Directory from non-domain controllers.
This document provides an overview of a training module that introduces managing a Windows Server 2008 environment. It covers server roles, Active Directory, and administrative tools for Windows Server 2008. The module contains 4 lessons that discuss server roles, an overview of Active Directory including domains and forests, Windows Server 2008 administrative tools, and using Remote Desktop for administration. It concludes with a lab on administering Windows Server 2008.
Here are the key features of a read-only domain controller (RODC):
- Stores a read-only copy of the Active Directory database
- Provides authentication services for domain users and computers
- Caches user passwords and credentials to enable offline logons
- Supports delegation of administrative permissions to local administrators
- Enhances security by preventing direct database writes from untrusted networks
- Reduces costs by deploying lightweight domain controllers in branch offices
BETA COURSEWARE. EXPIRES 4/11/2008
Implementing Active Directory® Domain Services 1-17
RODC Password Replication Policy
Key Points
The RODC password replication policy determines which user passwords are
cached on the
This document provides an overview of the Windows Azure platform. It describes the main components of Windows Azure including Compute, Storage, the Fabric Controller, Content Delivery Network, and Connect. It explains how developers can use these components to build scalable web and cloud applications, process large amounts of data in parallel, and integrate on-premises systems with the cloud. The document also provides examples of common application scenarios developed on Windows Azure and how applications are deployed and managed through the platform.
Here are brief introductions to the experts who provide commentary in the guide:
- Chris Tavares - One of the original creators of Unity and a Principal Program Manager at Microsoft. He
provides insights into the motivations and goals behind Unity's design.
- Dan Piessens - A software architect with experience customizing and extending Unity containers. He
shares lessons learned from real-world projects.
- David Britch - A developer who has used Unity in Windows Store apps. He discusses strategies for
dependency injection specific to that platform.
- Dominic Betts - A Principal Software Engineer and Unity expert. He helps explain core Unity concepts
and best practices.
- Fernando Simonazzi - A
This document provides an overview of security in DB2 9.7. It discusses authentication with options like LDAP and Kerberos. It covers authorization using database roles and row- and column-level access control (LBAC). Auditing capabilities with native and Guardium auditing are described. It also discusses data encryption in transit using SSL and trusted contexts for conditional authorization in application servers.
This document discusses a security issue that occurred when improperly configuring DB2 federation. Specifically:
1. A client site configured DB2-LDAP federation but also enabled the FED_NOAUTH parameter, bypassing authentication.
2. This meant any user could connect to the database as any other user without providing the correct password.
3. If the database owner username was guessed, full access to all data could be obtained, potentially exposing the database to a major security breach.
The issue was caused by incorrectly enabling the FED_NOAUTH parameter when federation was set up. Proper authentication should have occurred at the database rather than being bypassed. The moral is to not enable
This document discusses IBM DB2 9 security. It covers authentication types that control where user passwords are verified, such as at the client or server. It also discusses authorities like SYSADM, SYSCTRL, and DBADM that control administrative privileges and database access. The document defines database privileges for actions like connecting to a database or creating tables.
As a DataCite datacenter, you must make initial decisions before minting DOIs, including which objects to mint and the DOI suffix structure. You must also commit to long-term storage of objects and maintaining correct URLs and metadata. DOIs can be minted manually through the Metadata Store or by connecting an institution's systems to the DataCite API. DataCite Denmark provides support for DOI minting through workshops, API setup assistance, and consultancy.
Utilized Code Gen To Save Our Efforts In Sap IntegrationGuo Albert
The document discusses using code generation to create data access objects (DAOs) for an SAP integration project. It describes using the Squirrel SQL Client and DAO4J tools to automatically generate DAO interface, implementation, and data transfer object classes based on the database schema. This allows focusing on workflow design rather than manual data access coding, improving productivity and reducing errors.
This document outlines a 30-35 day training course on DB2 9 administration for Linux. The training will take place in Bangalore, India and include both weekday and weekend classes. Students will learn about installing and managing DB2, database objects, security, backup and recovery, monitoring and tuning. Hands-on lab sessions are included. Upon completing the course, students will be prepared for DB2 certification and provided with certification exam dumps. The trainer has over 7 years of experience with DB2 in healthcare, insurance and banking sectors.
Computing And Information Technology Programmes EssayLucy Nader
The document discusses proposed solutions to improve the ICT infrastructure of Global Water Company. It identifies problems with the current infrastructure, which includes separate local networks and servers at each of the company's three prime locations, relying on public networks for digital communication between locations. The proposed solution aims to improve communications issues by implementing an updated ICT infrastructure within the ICT department to better support the company's rapid growth over the past decade. The solution will demonstrate how both business and technical goals can be achieved within the given budget.
Database Lifecycle Management and Cloud Management - Hands on Lab (OOW2014)Hari Srinivasan
- The document discusses using Oracle Enterprise Manager Cloud Control 12c to manage the database lifecycle and achieve standardization across a database fleet.
- It provides exercises to perform inventory checks, identify compliance deviations, automate patching of a container database and its pluggable databases using patch plans, and create standard provisioning profiles.
- The goal is to demonstrate database lifecycle management capabilities in Enterprise Manager to help organizations standardize their databases and begin a transition to database as a service.
1) The document provides guidance on assigning Digital Object Identifiers (DOIs) through DataCite. It discusses initial decisions around what objects to mint DOIs for, DOI construction, metadata requirements, and manual or automatic minting workflows.
2) Maintaining DOIs requires ensuring a correct URL and metadata for each object over the long term (minimum 10 years) and providing open access to landing pages with metadata and object access.
3) The quality of the DOI system relies on objects being cite-worthy, having well described metadata, and the institution committing to long-term storage.
1) The document provides guidance on assigning Digital Object Identifiers (DOIs) through DataCite. It discusses decisions that must be made, such as what objects to assign DOIs to and DOI construction.
2) Maintaining DOIs requires ensuring a correct URL and metadata for the object. DOIs also commit an institution to long-term storage of the object for a minimum of 10 years.
3) The quality of the DOI system relies on objects being cite-worthy, having well described metadata, and the institution committing to long-term storage. Metadata must be provided in an XML file and displayed on a landing page.
An introduction to_application_development_in_ibm_db2_udb_using_microsoft_vis...ANIL MAHADEV
This document provides an introduction to application development in IBM DB2 UDB using Microsoft Visual Studio .NET. It outlines the system requirements and steps to connect a VS.NET application to a DB2 database using a data adapter. It then demonstrates building a simple employee management system that connects to the SAMPLE database and displays employee records in a datagrid when the form loads. The tutorial uses C# and shows how to fill the dataset, set the datasource, and bind the datagrid to display the data.
IBM DB2 App Development with Microsoft Visual C#ANIL MAHADEV
This document provides an introduction to application development in IBM DB2 UDB using Microsoft Visual Studio .NET. It outlines the system requirements and steps to connect a VS.NET application to a DB2 database using a data adapter. It then demonstrates building a simple employee management system that connects to the SAMPLE database and displays employee records in a datagrid when the form loads. The tutorial uses C# and shows how to fill the dataset, set the datasource, and bind the datagrid to display the data.
Validate your AZ-104 Exam learning and preparation with our most updated AZ-104 dumps. Dumpspedia has experienced IT experts who gather and approve a huge range of Microsoft AZ-104 Questions Answers for Azure Administrator Associate Certification seekers. Practicing our 100% updated AZ-104 Practice Tests is a guaranteed way towards your success in Microsoft AZ-104 Exam.
https://www.dumpspedia.com/AZ-104-dumps-questions.html
This document provides instructions for installing and setting up DB2 for Mac OS X. It discusses prerequisites including having Mac OS X Leopard or higher, enabling the root user, increasing system parameters in sysctl.conf, and having Java 1.6 installed for the graphical installation. It then covers downloading and installing DB2 using either the graphical installer, script-based installation, or response file installation. It also provides a brief overview of what DB2 is and why it is available for Mac OS X.
The document discusses the Data Access Object (DAO) pattern in J2EE applications. The DAO pattern separates business logic from data access logic. A DAO provides a common interface to access a data source. The DAO encapsulates data source access and manages data transfer objects (DTOs) that are used to exchange data between business objects and the DAO. Sample code illustrates a DAO interface, implementation, DTO, and client using the DAO to access inventory data without coupling to the specific data source implementation.
The document provides instructions for installing and configuring ScrumDesk software. It outlines prerequisites like Microsoft Windows and .NET Framework. It describes installing the SQL Server database and creating a new ScrumDesk database. It also covers configuring user authentication in the database and assigning users to roles. The document guides the administrator through initial login and entering the company license key. It briefly explains license management and assigning licenses to user accounts.
This document provides instructions for installing and configuring ScrumDesk software. It outlines prerequisites like Microsoft Windows and SQL Server. It then describes setting up a new ScrumDesk database, configuring authentication, and creating an administrator account. Further steps include assigning licenses to users, managing users, and integrating with LDAP directories. The document provides details on licensing models and guidelines for photo sizes to optimize performance.
The document discusses DB2 security concepts including authentication, authorization, administrative authorities, and database object privileges. It describes how authentication can be configured on the server and client. The major DB2 administrative authorities like SYSADM, SYSCTRL, and DBADM are explained along with how privileges can be granted and revoked for database objects, schemas, tables, indexes, and packages. Examples are provided for granting privileges using SQL statements. The document also includes a case study about troubleshooting a user not having insert privileges on a table.
More Related Content
Similar to IOD 2012 IDZ-2418A Nationwide's Experince Deploying Trusted Context and Roles
This document provides an overview of security in DB2 9.7. It discusses authentication with options like LDAP and Kerberos. It covers authorization using database roles and row- and column-level access control (LBAC). Auditing capabilities with native and Guardium auditing are described. It also discusses data encryption in transit using SSL and trusted contexts for conditional authorization in application servers.
This document discusses a security issue that occurred when improperly configuring DB2 federation. Specifically:
1. A client site configured DB2-LDAP federation but also enabled the FED_NOAUTH parameter, bypassing authentication.
2. This meant any user could connect to the database as any other user without providing the correct password.
3. If the database owner username was guessed, full access to all data could be obtained, potentially exposing the database to a major security breach.
The issue was caused by incorrectly enabling the FED_NOAUTH parameter when federation was set up. Proper authentication should have occurred at the database rather than being bypassed. The moral is to not enable
This document discusses IBM DB2 9 security. It covers authentication types that control where user passwords are verified, such as at the client or server. It also discusses authorities like SYSADM, SYSCTRL, and DBADM that control administrative privileges and database access. The document defines database privileges for actions like connecting to a database or creating tables.
As a DataCite datacenter, you must make initial decisions before minting DOIs, including which objects to mint and the DOI suffix structure. You must also commit to long-term storage of objects and maintaining correct URLs and metadata. DOIs can be minted manually through the Metadata Store or by connecting an institution's systems to the DataCite API. DataCite Denmark provides support for DOI minting through workshops, API setup assistance, and consultancy.
Utilized Code Gen To Save Our Efforts In Sap IntegrationGuo Albert
The document discusses using code generation to create data access objects (DAOs) for an SAP integration project. It describes using the Squirrel SQL Client and DAO4J tools to automatically generate DAO interface, implementation, and data transfer object classes based on the database schema. This allows focusing on workflow design rather than manual data access coding, improving productivity and reducing errors.
This document outlines a 30-35 day training course on DB2 9 administration for Linux. The training will take place in Bangalore, India and include both weekday and weekend classes. Students will learn about installing and managing DB2, database objects, security, backup and recovery, monitoring and tuning. Hands-on lab sessions are included. Upon completing the course, students will be prepared for DB2 certification and provided with certification exam dumps. The trainer has over 7 years of experience with DB2 in healthcare, insurance and banking sectors.
Computing And Information Technology Programmes EssayLucy Nader
The document discusses proposed solutions to improve the ICT infrastructure of Global Water Company. It identifies problems with the current infrastructure, which includes separate local networks and servers at each of the company's three prime locations, relying on public networks for digital communication between locations. The proposed solution aims to improve communications issues by implementing an updated ICT infrastructure within the ICT department to better support the company's rapid growth over the past decade. The solution will demonstrate how both business and technical goals can be achieved within the given budget.
Database Lifecycle Management and Cloud Management - Hands on Lab (OOW2014)Hari Srinivasan
- The document discusses using Oracle Enterprise Manager Cloud Control 12c to manage the database lifecycle and achieve standardization across a database fleet.
- It provides exercises to perform inventory checks, identify compliance deviations, automate patching of a container database and its pluggable databases using patch plans, and create standard provisioning profiles.
- The goal is to demonstrate database lifecycle management capabilities in Enterprise Manager to help organizations standardize their databases and begin a transition to database as a service.
1) The document provides guidance on assigning Digital Object Identifiers (DOIs) through DataCite. It discusses initial decisions around what objects to mint DOIs for, DOI construction, metadata requirements, and manual or automatic minting workflows.
2) Maintaining DOIs requires ensuring a correct URL and metadata for each object over the long term (minimum 10 years) and providing open access to landing pages with metadata and object access.
3) The quality of the DOI system relies on objects being cite-worthy, having well described metadata, and the institution committing to long-term storage.
1) The document provides guidance on assigning Digital Object Identifiers (DOIs) through DataCite. It discusses decisions that must be made, such as what objects to assign DOIs to and DOI construction.
2) Maintaining DOIs requires ensuring a correct URL and metadata for the object. DOIs also commit an institution to long-term storage of the object for a minimum of 10 years.
3) The quality of the DOI system relies on objects being cite-worthy, having well described metadata, and the institution committing to long-term storage. Metadata must be provided in an XML file and displayed on a landing page.
An introduction to_application_development_in_ibm_db2_udb_using_microsoft_vis...ANIL MAHADEV
This document provides an introduction to application development in IBM DB2 UDB using Microsoft Visual Studio .NET. It outlines the system requirements and steps to connect a VS.NET application to a DB2 database using a data adapter. It then demonstrates building a simple employee management system that connects to the SAMPLE database and displays employee records in a datagrid when the form loads. The tutorial uses C# and shows how to fill the dataset, set the datasource, and bind the datagrid to display the data.
IBM DB2 App Development with Microsoft Visual C#ANIL MAHADEV
This document provides an introduction to application development in IBM DB2 UDB using Microsoft Visual Studio .NET. It outlines the system requirements and steps to connect a VS.NET application to a DB2 database using a data adapter. It then demonstrates building a simple employee management system that connects to the SAMPLE database and displays employee records in a datagrid when the form loads. The tutorial uses C# and shows how to fill the dataset, set the datasource, and bind the datagrid to display the data.
Validate your AZ-104 Exam learning and preparation with our most updated AZ-104 dumps. Dumpspedia has experienced IT experts who gather and approve a huge range of Microsoft AZ-104 Questions Answers for Azure Administrator Associate Certification seekers. Practicing our 100% updated AZ-104 Practice Tests is a guaranteed way towards your success in Microsoft AZ-104 Exam.
https://www.dumpspedia.com/AZ-104-dumps-questions.html
This document provides instructions for installing and setting up DB2 for Mac OS X. It discusses prerequisites including having Mac OS X Leopard or higher, enabling the root user, increasing system parameters in sysctl.conf, and having Java 1.6 installed for the graphical installation. It then covers downloading and installing DB2 using either the graphical installer, script-based installation, or response file installation. It also provides a brief overview of what DB2 is and why it is available for Mac OS X.
The document discusses the Data Access Object (DAO) pattern in J2EE applications. The DAO pattern separates business logic from data access logic. A DAO provides a common interface to access a data source. The DAO encapsulates data source access and manages data transfer objects (DTOs) that are used to exchange data between business objects and the DAO. Sample code illustrates a DAO interface, implementation, DTO, and client using the DAO to access inventory data without coupling to the specific data source implementation.
The document provides instructions for installing and configuring ScrumDesk software. It outlines prerequisites like Microsoft Windows and .NET Framework. It describes installing the SQL Server database and creating a new ScrumDesk database. It also covers configuring user authentication in the database and assigning users to roles. The document guides the administrator through initial login and entering the company license key. It briefly explains license management and assigning licenses to user accounts.
This document provides instructions for installing and configuring ScrumDesk software. It outlines prerequisites like Microsoft Windows and SQL Server. It then describes setting up a new ScrumDesk database, configuring authentication, and creating an administrator account. Further steps include assigning licenses to users, managing users, and integrating with LDAP directories. The document provides details on licensing models and guidelines for photo sizes to optimize performance.
The document discusses DB2 security concepts including authentication, authorization, administrative authorities, and database object privileges. It describes how authentication can be configured on the server and client. The major DB2 administrative authorities like SYSADM, SYSCTRL, and DBADM are explained along with how privileges can be granted and revoked for database objects, schemas, tables, indexes, and packages. Examples are provided for granting privileges using SQL statements. The document also includes a case study about troubleshooting a user not having insert privileges on a table.
Similar to IOD 2012 IDZ-2418A Nationwide's Experince Deploying Trusted Context and Roles (20)
5. IBM IOD 2012 6/22/2016
4
We face numerous security challenges as technology gets better and industry
regulation continues to increase. Auditing is continuing to apply more pressure to
restrict or limit who has DB2 elevated privileges. This means we have to find new
ways to address some of these new challenges.
At Nationwide we used a RACI document to clearly outline and define Roles and
Responsibilities between the DB2 Engineer, DB2 DBA, Data Modeler, and the
Performance Team. This presented Nationwide with some challenges.
2418 Tilkes Pickel.ppt
6. IBM IOD 2012 6/22/2016
5
There are several methods that can be used to allow DBAs to manage DB2 objects
they are not the owner. One is create a RACF group the same as the owner and
add the DBAs IDs to that group. Problem solved right. Here are the issues with
that one someone from another area could request access to that RACF Group.
That never happens right. As all of you are aware the owner of the object has all
DB2 privileges to that object. The second option is with the of a Trusted Context
with an external security profile.
How do we control when the batch scheduling tool has SYSADM access. For this
example we will use a Trusted Context with an assigned Role.
So What is a Trusted Context and Roles?
2418 Tilkes Pickel.ppt
8. IBM IOD 2012 6/22/2016
7
A trusted context establishes a trusted relationship between DB2 and an external
entity, such as a middleware server or another DB2 subsystem. At connection time,
a series of trust attributes are evaluated to determine if a specific context can be
trusted. After a trusted connection is established, it is possible to acquire, through
a role, a special set of privileges for a DB2 authorization ID within the specific
connection that are not available to it outside of the trusted connection.
When defining a Trusted Context the connection attributes must be unique within
the trusted context definition. What I mean is, you are not able to have the an
ADDRESS, JOBNAME, or SERVAUTH the same value in single trusted context
definition.
Minimum DB2 Authority need to define a Trusted Context is INSTALL SYSADM,
SYSADM, or SECADM (Not available until DB2 version 10)
A trusted connection can be established for a local or a remote application. The
attributes used to establish a trusted context are different for remote vs local
applications. The two examples we will be looking at today will both be referencing
local applications using the connection attribute of JOBNAME
2418 Tilkes Pickel.ppt
9. IBM IOD 2012 6/22/2016
8
Any ID that is the owner of an object or has grant authority can grant privileges to a
Role. However to create a Role you must be either INSTALL SYSADM, SYSADM,
SYSCTRL, or SECADM. (Not available until DB2 version 10)
A Role must be associated with a Trusted Context in order to be used.
For more information about Trusted Context and Roles please refer to IBM
Redbook: Securing DB2 and Implementing MLS on z/OS or IBM Redbook: Security
Functions of IBM DB2 10 for z/OS
Now that we know what Trusted Context and Roles are let's explore the two
different opportunities we have to exploit them.
2418 Tilkes Pickel.ppt
11. IBM IOD 2012 6/22/2016
10
Contact your Security Admin and have them create DSNR Class TRUSTEDCTX.DBA.
Then have the Security Admin Grant READ access to users/group that needs to
have access to use DSNR class. Create Protected IDs of the object Owners that you
desire to have the DBAs to be able to manage.
For Views the issue was, how do we allow the DBAs to control access to those
views, and the DBAs needed to have the ability to ALTER the view if needed.
Issues with Aliases was the DBAs could create them, but could not DROP them.
How do you allow the DBA to control access to Packages and Plans.
Now that we have the external security profile in place let's move on and create
the trusted context.
REMEMBER this method allows them to act as the OWNER, and as the owner of an
object they have all privileges to that object.
2418 Tilkes Pickel.ppt
12. IBM IOD 2012 6/22/2016
11
For this example we have a primary user ID of DBAUSR1 with access to an external
security profile of TRUSTEDCTX.DBA through READ access being granted to group
DBAGRP1. We want DBAUSR1 to have access to object owner SAMPID1 in order to
execute the ALTER View regenerate statement on View SAMPID1.EMP_PHONE.
They also only want the DBA to have access only if it is running under specific job
prefixes.
The name of the Trusted Context that is being created is DBA_DBAUSR1
The first job name on the attributes line allow the user to use SPUFI as well as any
batch job prefixed with their ID, and connect using the ASUSER option. The second
job name on the attributes line allow them to use a batch job that begins with a
prefix of DBAT. As long as the batch job is connected with DBAT prefix then the
user can code the ASUSER clause in their connection options.
Now let’s go learn how to use the AS USER clause in SPUFI and Batch to utilize the
Trusted Context we created above.
2418 Tilkes Pickel.ppt
13. IBM IOD 2012 6/22/2016
12
Once I set the AS USER option (OPTION # 10) to SAMPID1. I then hit enter until you
get back to the DB2I PRIMARY OPTION MENU.
Then select SPUFI and enter in the following statement.
ALTER VIEW SAMPID1.EMP_PHONE REGENERATE;
It should execute successfully since the as user option was set to SAMPID1. Where
as if the as user option is not set the above statement will fail provide you have not
been grant SYSADM access.
The reason this works is DBAUSR1 has read access to DSNR Class TRUSTEDCTX.DBA
, SAMPID1 also has read access to DSNR Class, and trusted connection has been
established through Trusted Context DBA.DBAUSR1. This allows DBAUSR1 to use
the as user in their connection string. In doing so DBAUSR1 makes them appear to
DB2 as SAMPID1.
This is similar to what you would do if you executed a SET CURRENT SQLID. The
difference in a SET CURRENT SQLID, you either have to be SYSADM or SAMPID1
would have to be a RACF Group with DBAUSR1 attached. By using the trusted
context concept you limit the opportunity for access to your DB2 objects. Even if
someone would get read access to the DSNR Class TRUSTEDCTX.DBA, the user still
would have to have Trusted Context definition in DB2 related to their Auth ID to
gain access.
2418 Tilkes Pickel.ppt
14. IBM IOD 2012 6/22/2016
13
If the DBA (DBAUSR1) would attempt to execute the ALTER VIEW REGENERATE
without the ASUSER clause a failure would occur stating they do not have the
authority to execute the alter on view.
As a result of the ASUSER clause being coded, provided a trusted connection has
been established, and the owner of the view has been given READ access to DSNR
Class TRUSTEDCTX.DBA
2418 Tilkes Pickel.ppt
17. IBM IOD 2012 6/22/2016
16
SCHID1 is an authorization ID associated to your batch scheduling tool that is the
submitter of all your DB2 system maintenance jobs.
Creating the trusted context allows the scheduling tool to have SYSADM access to
run the DB2 SYSTEM maintenance jobs only for Auth ID SCHID1 and only for job
names that are prefixed in the attributes of the trusted context.
Jobs submitted by the batch scheduling tool under a different Auth ID or other than
a job names listed above will not get assigned the ROLE DB2SYSENG, thus the Auth
ID will not get assigned SYSADM access to DB2.
2418 Tilkes Pickel.ppt
18. IBM IOD 2012 6/22/2016
17172418 Tilkes Pickel.ppt