The document discusses the challenges of DB2 database administration, particularly the need to provide users with the authority to perform tasks without granting full DBA privileges. It reviews DB2's security model, detailing various administrative routines and authority levels, as well as techniques for managing permissions in a granular manner. Additionally, it covers the setup of federated databases to integrate multiple data sources while maintaining independence.

1. Solving the DB2 Database
Administration Dilemma
Randy Goering
DST Systems Inc.
rmgoering@gmail.com
Session Code D12
May 13, 2010
2:45 PM – 3:45 PM
Platform DB2 9 for Linux, UNIX, Windows

2. Agenda
• What Dilemma?
• DB2 Security Model Review
• Administrative Routines and Views.
• Creating a SQL Stored Procedure to execute
an administrative function
• Setting up a loop back federated database
• Configuring security at the Instance,
Federated Server, and Stored Procedures

3. What Dilemma?

4. What Dilemma?
• Authority!
•How do you give users the ability to
do their job without giving them the
ability to do the DBA‘s Job? Definition
Dilemma – noun –
1. a situation requiring a choice
between equally undesirable
alternatives.
2. any difficult or perplexing
situation or problem.
•How do you give the users the
ability to do their job so the DBAs
won‘t have to do it for them?

5. What Dilemma?
Client Requests
• What is running in the database?
• I loaded data to my table now I can‘t access it!
• I executed a bad query and now I need to kill it!
• Why is my query taking so long? Is it waiting for
something?
• I need to prevent read access on a table while I insert
data.
• I need to kill a backup so I can load data.

6. What Dilemma?
What‘s needed What‘s allowed
• List applications • Select
• List locks • Insert
• List utilities • Update
• Take backups • Delete
• Force applications • Load
• Quiesce table or tablespace • Execute

7. What Dilemma?
DB2 administrative functions are authorized at the instance and database
level by users being a member in one of the instance or database groups.
• SYSMON System monitor authority
• SYSMAINT System maintenance authority
• SYSCTRL System control authority
• SYSADM System administration authority
• DBADM Database administration authority
• SECADM Security administration authority
Our Dilemma has been how do we grant certain privileges to our users
without granting them all of the commands in an administrative group.
We want to grant permissions ‗a la carte‘.

8. What Dilemma?
Solving Permission Issues (a la carte)
Specific Administrative functions can be granted to users.
• Using
• Administrative Routines and Views
• SQL Stored Procedures
• Federated Stored Procedures
• Eliminating
• SYSADM
• SYSCTRL
• SYSMAINT
• SYSMON
• DBADM

9. DB2 9 LUW Security Model Review

10. DB2 9 LUW Security Model Review
Instance Level Authority
SYSAD
•SYSADM for users managing the M
SYSCTRL
instance as a whole
SYSMAINT
•SYSCTRL for users administering a SYSMON
database manager instance
•SYSMAINT for users administering
databases within an instance
•SYSMON for users monitoring the instance
and its databases

11. DB2 9 LUW Security Model Review
Instance Level Authority
db2 get dbm cfg
SYSADM group name (SYSADM_GROUP) =
SYSCTRL group name (SYSCTRL_GROUP) =
SYSMAINT group name (SYSMAINT_GROUP) =
SYSMON group name (SYSMON_GROUP) =
• db2 update dbm cfg using SYSADM_GROUP = <value>
• db2 update dbm cfg using SYSCTRL_GROUP = <value>
• db2 update dbm cfg using SYSMAINT_GROUP = <value>
• db2 update dbm cfg using SYSMON_GROUP = <value>

12. DB2 9 LUW Security Model Review
SYSMON
• MONITOR SWITCHES
• SNAPSHOTS
• LIST commands
• Active databases
• Applications
• Database partition groups
• DCS applications
• Packages
• Tables
• Tablespaces
• Tablespace containers
• Utilities

13. DB2 9 LUW Security Model Review
SYSMAINT
• Backups
• Restore to existing Database
• Rollforward Recovery
• Start or Stop an instance
• Quiesce a table space
• Tracing
• Database system monitor snapshots
• Reorganize tables
• RUNSTATS
• All SYSMON authorities

14. DB2 9 LUW Security Model Review
SYSCTRL
• Update a database, node or distributed connection services (DCS)
directory
• Restore to a new or existing database
• Force users off the system
• Create or drop a database
• Create, drop, or alter a table space
• Use any table space
• All SYSMAINT and SYSMON authority

15. DB2 9 LUW Security Model Review
SYSADM
• Update and restore a database manager configuration
parameters
• DBM CFG and DB CFG
• Specify groups that have SYSADM, SYSCTRL, SYSMAINT
and SYSMON
• Grant and Revoke table space privileges
• Upgrade and restore a database
• All SYSCTRL, SYSMAINT, SYSMON authority

16. DB2 9 LUW Security Model
Database Level Authority
• SECADM for users managing security
• DBADM for users administering a database
• ACCESSCTRL for users who need to grant privileges
• DATAACCESS for users who need to access data
• SQLADM for users who monitor and tune SQL queries
• WLMADM for users who manage workloads
• EXPLAIN for users who need to explain query plans

17. DB2 9 LUW Security Model
SECADM
• Create, alter, comment on, and drop Audit policies
• Security label components
• Security policies
• Trusted contexts
• Create, comment on, and drop Roles
• Security labels
• Grant and revoke database privileges and authorities
• Execute audit routines
• Grant and revoke Execute privilege on audit routines

18. DB2 9 LUW Security Model
ACCESSCTRL
• Grant and revoke the following administrative authorities
• EXPLAIN
• SQLADM
• WLMADM
• Grant and revoke the following database authorities
• BINDADD
• CONNECT
• CREATETAB
• CREATE_EXTERNAL_ROUTINE
• CREATE_NOT_FENCED_ROUTINE
• IMPLICIT_SCHEMA
• LOAD
• QUIESCE_CONNECT
• Grant and revoke all privileges on the following objects
• Global Variables, Indexes, Nickname, Package, Routine, Schema
• Sequence, Server, Table, Table Space, View, XSR Objects
• SELECT privilege on the system catalog tables and views

19. DB2 9 LUW Security Model
DATAACCESS
• For all tables, views, materialized query tables, and nicknames
it gives these authorities and privileges
• LOAD authority on the database
• SELECT privilege (including system catalog tables and views)
• INSERT privilege
• UPDATE privilege
• DELETE privilege
• In addition, DATAACCESS authority provides the following privileges
EXECUTE on all packages
• EXECUTE on all routines (except audit routines)

20. DB2 9 LUW Security Model
DBADM
• Create, alter, drop non-security related database objects
• Read log files
• Create, activate, and drop event monitors
• Query the state of a table space
• Update log history files
• Quiesce a table space
• Reorganize a table
• Collect catalog statistics using the RUNSTATS utility

21. DB2 9 LUW Security Model
SQLADM
• CREATE EVENT MONITOR
• DROP EVENT MONITOR
• EXPLAIN
• FLUSH EVENT MONITOR
• FLUSH OPTIMIZATION PROFILE CACHE
• FLUSH PACKAGE CACHE
• PREPARE
• REORG INDEXES/TABLE
• RUNSTATS
• SET EVENT MONITOR STATE

22. DB2 9 LUW Security Model
WLMADM
• Create, alter, comment on and drop workload manager objects
• Grant and revoke workload privileges
• EXECUTE privilege on the system-defined workload management
routines

23. Administrative Routines and Views

24. Administrative routines and views
DB2 LUW administrative views provide an easy-to-use application
programming interface to DB2 administrative functions through SQL.
• Collection of
• Views
• Table Functions
• Invoked from
• SQL-based application
• DB2 command
• Command script

25. Categories of Administrative Routines and Views
• Solution uses routines in the following categories:
• Snapshot administrative SQL routines and views
• ADMIN_CMD stored procedure and associated administrative
SQL routines
• Monitor routines and views

26. Snapshot administrative SQL routines and views
• Samples of administrative views
• APPLICATIONS administrative view
• This administrative view returns information on connected database applications.
• LOCKS_HELD administrative view
• This administrative view returns information on current locks held.
• LOCKWAITS administrative view
• This administrative view returns information on locks that are waiting to be granted.
• LONG_RUNNING_SQL administrative view
• This administrative view returns the longest running SQL statements in the currently
connected database.
• TOP_DYNAMIC_SQL administrative view
• This administrative view returns the top dynamic SQL statements sortable by number of
executions, average execution time, number of sorts, or sorts per statement.

27. APPLICATIONS administrative view
• Returns information on connected database applications.
• LIST APPLICATIONS SHOW DETAIL command.
SELECT AGENT_ID,SUBSTR(APPL_NAME,1,32) AS APPL_NAME,
SUBSTR(AUTHID,1,32),APPL_STATUS FROM SYSIBMADM.APPLICATIONS
FOR READ ONLY WITH UR
AGENT_ID APPL_NAME AUTHID APPL_STATUS
----- -------------------- ------- -----------
16096 db2wlmd DBADMIN CONNECTED
16095 db2taskd DBADMIN CONNECTED
16108 QuestCentral.exe DBADMIN UOWWAIT
16101 db2evmg_DB2DETAILDEA DBADMIN CONNECTED
Authorization
One of SYSADM, SYSCTRL, SYSMAINT, SYSMON

28. SNAP_GET_APPL_INFO_V95 table function
• Table Function to return information about applications from an application
snapshot.
• Examples
Select * FROM TABLE(SNAP_GET_APPL_INFO_V95( dbname)) AS T
Select * FROM TABLE(SNAP_GET_APPL_INFO_V95(‗‘)) AS T
Use an empty string to return applications on current database
Select * FROM TABLE(SNAP_GET_APPL_INFO_V95(NULL)) AS T
Use NULL to get list of all applications on the instance
• Authorization
SYSMON
EXECUTE on the get SNAP_GET_APPL_INFO table function

29. LOCKS_HELD administrative view
SELECT DB_NAME, AGENT_ID, APPL_NAME, AUTHID, TBSP_NAME,
TABSCHEMA, TABNAME, LOCK_OBJECT_TYPE, LOCK_MODE FROM
SYSIBMADM.LOCKS_HELD
DB_NAME AGENT_ID APPL_NAME AUTHID TBSP_NAME TABSCHEMA TABNAME LOCK_OBJECT_TYPE LOCK_MODE
TST00XXX 6004 express_cheese SWISS [Null] [Null] [Null] INTERNALV_LO CK S
TST00XXX 6004 express_cheese SWISS [Null] [Null] [Null] INTERNALP_LO CK S
TST00XXX 5267 express_cheese SWISS [Null] [Null] [Null] INTERNALP_LO CK S
TST00XXX 5267 espress_cheese SWISS SYSCATSPACE SYSIBM SYSUSERAUTH TABLE_LO CK IS
TST00XXX 5266 express_cheese SWISS REP DPS REP_MAINT RO W_LO CK X
TST00XXX 5266 express_cheese SWISS CO NTACT DPS CO NTACT RO W_LO CK X
TST00XXX 5266 express_cheese SWISS REP DPS REP_ENTITY_AUDIT RO W_LO CK X
Authorizations
One of SYSADM, SYSCTRL, SYSMAINT, SYSMON

30. LOCKWAITS administrative view
SELECT SUBSTR(A.DB_NAME,1,10) AS DB_NAME , A.SNAPSHOT_TIMESTAMP,
LOCK_WAIT_START_TIME , A.AGENT_ID , SUBSTR(A.AUTHID,1,12) as AUTHID ,
AGENT_ID_HOLDING_LK , SUBSTR(A.APPL_NAME,1,32) AS APPL_NAME,
SUBSTR(TABSCHEMA,1,10) AS SCHEMA , SUBSTR(TABNAME,1,32) AS TABLE ,
SUBSTR(TBSP_NAME,1,32) AS TABLESPACE , LOCK_OBJECT_TYPE , LOCK_MODE ,
LOCK_MODE_REQUESTED , cast(SUBSTR(B.STMT_TEXT,1,256) AS VARCHAR(256) ) AS
STMT_TEXT
FROM SYSIBMADM.LOCKWAITS
Authorizations
One of SYSADM, SYSCTRL, SYSMAINT, SYSMON

31. ADMIN_CMD stored procedure and associated
administrative SQL routines
The ADMIN_CMD procedure is used by applications to run administrative commands using the SQL CALL
statement.
The procedure currently supports the following DB2 command line processor (CLP) commands
• AUTOCONFIGURE
• BACKUP - online only
• DESCRIBE
• EXPORT
• FORCE APPLICATION
• IMPORT
• LOAD
• PRUNE HISTORY/LOGFILE
• QUIESCE DATABASE
• QUIESCE TABLESPACES FOR TABLE
• REDISTRIBUTE
• REORG INDEXES/TABLE
• RESET ALERT CONFIGURATION
• RESET DATABASE CONFIGURATION
• RESET DATABASE MANAGER CONFIGURATION
• RUNSTATS
• UNQUIESCE DATABASE
• UPDATE DATABASE CONFIGURATION
• UPDATE DATABASE MANAGER CONFIGURATION
• UPDATE HEALTH NOTIFICATION CONTACT LIST
• UPDATE HISTORY

32. ADMIN_CMD stored procedure and associated
administrative SQL routines
• FORCE APPLICATION command using the ADMIN_CMD procedure
• CALL SYSPROC.ADMIN_CMD( ‗force application (6108)‘)
Authorizations
One of SYSADM, SYSCTRL, SYSMAINT

33. ADMIN_CMD stored procedure and associated
administrative SQL routines
• BACKUP DATABASE command using the ADMIN_CMD procedure
• CALL SYSPROC.ADMIN_CMD('backup db dbasamp1 online use tsm')
Authorizations
One of SYSADM ,SYSCTRL,SYSMAINT

34. ADMIN_CMD stored procedure and associated
administrative SQL routines
QUIESCE TABLESPACES FOR TABLE command using the ADMIN_CMD
procedure
• CALL SYSPROC.ADMIN_CMD( 'quiesce tablespaces for table H9X
exclusive' )
Authorizations
One of SYSADM, SYSCTRL, SYSMAINT, DBADM,LOAD

35. Creating a SQL Stored Procedure to
execute an administrative function

36. Creating a Stored Procedure
Types of Procedures
• SQL
• Written in SQL and defined on the current database.
• Sourced
• Procedure that references a source procedure (SQL)
• Also know as a federated procedure
• Defined on current or remote database
• External
• Written in a programming language

37. SQL Procedure Definitions
• Create Statement
• Procedure Name
• Parameters List
• Options
• SQL Body
• Authorization
• IMPLICIT_SCHEMA
• CREATEIN
• DBADM
• Must also have permissions to execute all SQL contained in procedure

38. Create Procedure Statement
• CREATE PROCEDURE procedure name (IN|OUT|INOUT
parameter | data type | default clause ) option list | SQL procedure
body
CREATE PROCEDURE SP_FORCE_APP
• (IN | OUT | INOUT parameter-name data-type default-clause, …)
CREATE PROCEDURE SP_FORCE_APP (IN VAGENT CHAR(16))

39. SQL Procedure Options
• SPECIFIC unique_name
• DYNAMIC RESULT SETS integer
• LANGUAGE SQL
• CALLED ON NULL INPUT
• EXTERNAL ACTION
• OLD SAVEPOINT LEVEL
• INHERIT SPECIAL REGISTERS
• CONTAINS SQL, READS SQL DATA, MODIFIES SQL DATA
CREATE PROCEDURE SP_FORCE_APP (IN VAGENT CHAR(16))
SPECIFIC DBA.SP_FORCE_AGENTID
LANGUAGE SQL
CONTAINS SQL

40. SQL Procedure Body
BEGIN
Variable declarations
Condition declarations
Cursor declarations
Condition handler declarations
Assignment
Flow of control
SQL statements and other compound statements
END

41. SQL Procedure Execution
• SQL procedure invoked by using the CALL statement.
• Passing of parameters
• Receiving of parameters
• Result sets returned
• SQL Procedures can be invoked from:
• an embedded SQL client application
• an external routine (procedure, UDF, or method)
• an SQL routine (procedure, UDF, or method)
• an SQL trigger (BEFORE TRIGGER, AFTER TRIGGER, or INSTEAD OF TRIGGER)
• an SQL dynamic compound statement
• from the Command Line Processor (CLP)
• Examples
• CALL DBA.SP_FORCE_APP (‗21235‘)
• CALL DBA.SP_LIST_APPLICATIONS()

42. SQL Procedures
Examples of SQL Procedures
Called by the Federated Procedures
only.
• DBA.SP_LIST_APPLICATIONS()
• DBA.SP_LIST_LOCKWAITS()
• DBA.SP_FORCE_AGENTID()
• DBA.SP_LIST_LOCKWAITS()
• DBA.SP_GET_CURRENT_AGENTID()
• DBA.SP_FORCE_BACKUP()
• DBA.SP_CHECK_UTILITY_STATUS()
• DBA.SP_BACKUP_DATABASE()
• DBA.SP_FORCE_APP_BY_TABLE()

43. SP_LIST_APPLICATIONS
Using Administrative View
CREATE PROCEDURE DBA.SP_LIST_APPLICATIONS( )
{OPTIONS}
BEGIN
{ DECLARE}
SELECT AGENT_ID
, SUBSTR(APPL_NAME,1,32) AS APPL_NAME
, SUBSTR(AUTHID,1,32) AS AUTHID
, APPL_STATUS, APPL_ID
FROM SYSIBMADM.APPLICATIONS
WHERE DB_NAME = DB FOR READ ONLY WITH UR;
VALUES CURRENT SERVER INTO DB;
OPEN C1;
END

44. SP_LIST_APPLICATIONS
Using Table Function
CREATE PROCEDURE DBA.SP_LIST_ALL_APPLICATIONS (IN VDBNAME
VARCHAR(128))
SPECIFIC DBA.SP_LST_ALL_APPLICATIONS
{OPTIONS}
BEGIN
{DECLARE}
SELECT SNAPSHOT_TIMESTAMP , SUBSTR(DB_NAME,1,10) AS DB_NAME
, CAST(AGENT_ID AS CHAR(10)) AS AGENT_ID
,SUBSTR(APPL_NAME,1,24) AS APPL_NAME
, SUBSTR(PRIMARY_AUTH_ID,1,10) AS PRIMARY_AUTH_ID
, SUBSTR(APPL_STATUS, 1,12) AS APPL_STATUS
, SUBSTR(CLIENT_NNAME,1,16) AS CLIENT_NNAME
FROM TABLE(SNAP_GET_APPL_INFO_V95( VDBNAME )) AS T
WHERE IS_SYSTEM_APPL = 0 and PRIMARY_AUTH_ID NOT IN
(SELECT UPPER(INST_NAME)
FROM SYSIBMADM.ENV_INST_INFO)
FOR READ ONLY WITH UR;
OPEN C1;
END

45. Setting up a loop back federated database

46. Federation
• Unites multiple databases or data sources.
Definition
• Acts like a central database. fed·er·ate
– verb –
1. to unite.
• Each database or data source remains independent.
Definition
fed·er·a·tion
- noun –
1. the act of federating or uniting.
2. the formation of a political unity, with a
central government, by a number of
separate states, each of which retains
control of its own internal affairs.

47. Federation Benefits
• Correlate data from local tables and remote data sources, as if all the
data is stored locally in the federated database.
• Update data in relational data sources, as if the data is stored in the
federated database.
• Move data to and from relational data sources.
• Take advantage of the data source processing strengths, by sending
requests to the data sources for processing.
• Compensate for SQL limitations at the data source by processing
parts of a distributed request at the federated server.

48. Heterogeneous Federation
• Federation between DB2 family and Informix data
sources.
• Federation between non DB2 Relational Database
Systems.
• Federation between non relational data sources.
• Access to non DB2 family data sources requires IBM
InfoSphere Federation Server.

49. Components of heterogeneous DB2 federated system

50. Homogeneous Federation
Federation between DB2 LUW and other DB2 family and
Informix data sources only.
• Available in:
• DB2 Enterprise Server Edition
• DB2 Workgroup Server Edition
• DB2 Express Edition
• No additional software or licenses required.

51. Components of homogeneous DB2 federated system
Source DB Target DB
SQL
D Nicknames
DB2 R DB2
Family D Family
A User
Mappings
Wrappers and
SDB.TB1 Functions TDB.TB2
SELECT SDB.COL1 FROM SDB.TB1
SELECT TDB.COL1 FROM TDB.TB2
SELECT SDB.COL1, TDB.COL1 FROM SDB.TB1 AS SDB, TDB.TB2 AS TDB

52. Federation System
• DB2 instance that operates as a federated server.
• DB2 database that acts as the federated database.
• One or more data sources.
• Clients (users and applications) that access the
database and data sources.

53. Components of a loop back DB2 federated system
• One DB2 Database Manager Instance.
• One DB2 Database.
• One Data Source.
• Multiple SQL Procedures.
• Multiple Federated Procedures.
Source Database
SQL
D Federated
DB2 R Procedures
Family D
A SQL Procedures
User Mappings
Wrappers and
Target Database Functions

54. The Federated Server
• The DB2 instance that manages the federated system is called a server because it
responds to requests from end users and client applications.
• Any number of DB2 instances can be configured to function as federated servers.
• Application processes connect and submit requests to the database within the
federated server.
• A federated server is configured to receive requests that might be partially or entirely
intended for data sources. The federated server distributes these requests to the data
sources.
• A federated server uses DRDA communication protocols (over TCP/IP) to
communicate with DB2 family instances.
• A Federated server also uses the native client of the data source to access the data
source. For example, a federated server uses the Sybase Open Client to access
Sybase data sources and an Microsoft® SQL Server ODBC Driver to access Microsoft
SQL Server data sources.

55. Configuring the Federated Server
• Configure at the instance by updating the Database Management
Configuration parameter.
• FEDERATED
• DB2 UPDATE DATABASE MANAGER CONFIGURATION
USING FEDERATED YES
• CONNECTION CONCENTRATOR
• Federated database system support and concentrator feature cannot
be active at the same time.
• Must be off by setting
• MAX_CONNECTIONS = MAX_COORDAGENTS

56. The Federated Database
• System catalog contains entries that identify data sources and their characteristics.
• The federated server consults the system catalog and the data source wrapper to
determine the best plan for processing SQL statements.
• The federated system processes SQL statements as if the data from the data sources
were ordinary relational tables or views within the federated databases.
• The federated system can correlate relational data with data in non-relational formats.
• The characteristics of the federated database take precedence when there are
differences between the characteristics of the federated database and the
characteristics of the data sources.
• Query results conform to DB2 semantics, even if data from other non-DB2 data
sources is used to compute the query result.
• A federated database is a database with one or more data sources defined.

57. The Data Source
• A data source is data that resides outside of the federated
database.
• A data source can be a relational database or a non-relational
data type.
• A federated system does not monopolize or restrict access to the
other data sources, beyond integrity and locking constraints.
• The method, or protocol, used to access a data source depends
on the type of data source.
• The data source is accessed via a data source wrapper.

58. Data Source Wrapper
• Wrappers are mechanisms by which the federated database
interacts with data sources.
• You create one wrapper for each type of data source that you
want to access.
• These routines allow the federated database to perform
operations such as connecting to a data source and retrieving
data from it iteratively.
• The federated server provides connectivity to DB2 data
sources by using the open DRDA protocol.
• This support is equivalent to that provided by the DB2 Connect
server.
• You can use the DRDA wrapper with all DB2 family data
source objects—DB2 Database for Linux, UNIX, and Windows,
DB2 for z/OS, DB2 for System I, and DB2 Server for VM and
VSE.

59. Create Data Source Wrapper
• DB2 CREATE WRAPPER DRDA OPTIONS (DB2_FENCED ‗N‘)
• You can register a wrapper as fenced or trusted using the
DB2_FENCED wrapper option.
• FENCED - processes that are separate from the database agent.
• NOT_FENCED – processes that are within the database agent.
• The sourced (federated) procedure cannot be created or invoked
using a wrapper defined as fenced.
Authorizations
One of SYSADM, DBADM

60. Create Server Definition
• Use the CREATE SERVER statement to register DB2 data source definitions.
• A server definition for relational data sources usually represents a remote database.
• CREATE SERVER―DBATOOLS‖ TYPE DB2/AIX VERSION ‗9‘ WRAPPER ―DRDA‖
AUTHORIZATION ―INSTID‖ PASSWORD ―INSTPWD‖ OPTIONS(ADD NODE
‗SPINODE‘, ADD DBNAME ‗SPI00001‘)
• Catalog node and database
• db2 catalog tcpip node SPINODE REMOTE 127.0.0.1 SERVER 50000
• db2 catalog database SOURCEDB AS SCPI0001 AT NODE SPINODE
Authorizations
One of SYSADM, DBADM

61. Create User Mappings
• A user mapping is an association between an authorization ID
on the federated server and the information that is required to
connect to the remote data source.
• CREATE USER MAPPING FOR ―RANDY‖ SERVER
DBATOOLS OPTIONS (REMOTE_AUTHID ‗SYSADMID‘,
REMOTE_PASSWORD mypasswd1)
This is the Key to our Solution. By mapping a
users ID to an ID with the authority to execute
administrative commands we can provide
authorities a la carte.

62. Creating a Federated Stored Procedure

63. Create Federated Procedure
• A Federated Procedure is a procedure on the
federated database that executes a SQL procedure
on the data source.
• Authorization
• IMPLICIT_SCHEMA
• CREATEIN
• DBADM
• Must also have permissions to execute all SQL contained in
procedure

64. Create Federated Procedure
• Syntax
• CREATE PRODEDURE procedure name | source procedure
clause |option list | SOURCE | source object name | NUMBER
OF PARAMETERS integer FOR SERVER server name
Example
CREATE PROCEDURE SPI.SP_LIST_APPLICATIONS
SOURCE DBA.SP_LIST_APPLICATIONS NUMBER OF
PARAMETERS 0 FOR SERVER DBSERV WITH RETURN TO
CLIENT ALL

65. Federated procedures
• SPI.SP_LIST_APPLICATIONS()
CREATE PROCEDURE SP_LIST_APPLICATIONS
SOURCE DBA.SP_LIST_APPLICATIONS
NUMBER OF PARAMETERS 0
FOR SERVER DBATOOLS
SPECIFIC SPI_LIST_APPLICATIONS WITH RETURN TO CLIENT ALL
• SPI.SP_FORCE_AGENTID
CREATE PROCEDURE SP_FORCE_AGENTID
SOURCE DBA.SP_FORCE_AGENTID
NUMBER OF PARAMETERS 1
FOR SERVER DBATOOLS
SPECIFIC SPI_FORCE_AGENTID WITH RETURN TO CLIENT ALL

66. Federated procedures
Example Federated Procedures.
Schema is SPI (Solving Permission Issues)
• SPI.SP_LIST_APPLICATIONS()
• SPI.SP_LIST_LOCKWAITS()
• SPI.SP_FORCE_AGENTID()
• SPI.SP_LIST_LOCKWAITS() Called by the Users
• SPI.SP_GET_CURRENT_AGENTID()
• SPI.SP_FORCE_BACKUP()
• SPI.SP_CHECK_UTILITY_STATUS()
• SPI.SP_BACKUP_DATABASE()
• SPI.SP_FORCE_APP_BY_TABLE()

67. Solving Permission Issues Client
s
Federated
Procedure
Node
Federated Server
Databas
e
Catalog
Adm. SQL
Views Procedure
Table s
Func.

68. Configuring security at the Instance, Federated Server,
and Stored Procedures
• Grant execute permissions on federated procedures to users.
• Grant permission to SQL procedures only to non client IDs.
• Revoke permissions from SYSIBMADM routines and views from public
and client IDs.
• Create a group and ID for each of the instance level security groups.
• Create user mappings to use ID with minimum level of authority needed
to execute command.
• Restrict permission on SYSCAT.USEROPTIONS

69. Summary
• Grant permissions a la carte by using
• Administrative Routines and Views in
• SQL Stored Procedure invoked by a
• Federated Stored procedure
• Defined in a Federated System

70. Resources
• IBM DB2 Database for Linux, UNIX, and Windows
Information Center V9.7
• http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp
• IBM DB2 Database for Linux, UNIX, and Windows
Information Center V9.5
• http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/index.jsp

71. DST Systems, Inc.
DST Systems, Inc. provides sophisticated
information processing and computer software
services and products that help clients improve
productivity, increase efficiency, and provide
higher levels of customer service.
http//www.dstsystems.com/
E-mail webmaster@dstsystems.com Celebrating
Phone 888.DST.INFO 40 Years
Founded in 1969 as a division of Kansas City Southern Industries, DST was
established to develop an automated recordkeeping system for the mutual of Excellence
fund
industry. DST has supported the industry‘s continued growth and is the
largest
provider of third-party shareholder recordkeeping services in the United
States today.
Headquartered in Kansas City, Missouri, DST is a publicly traded company
on the New York Stock Exchange (Symbol DST) that employs approximately
11,000 associates, both domestically and internationally.

72. QUESTIONS?

73. Randy Goering
DST Systems Inc.
rmgoering@gmail.com
Session Code D12
May 13, 2010
2:45 PM – 3:45 PM