Section 2 - Security (11%)

Knowledge of restricting data access

Knowledge of different authorities and privileges
Section -2) Security available

Knowledge of encryption options available (data
and network)

Given a DCL SQL statement, ability to identify
results (GRANT, REVOKE, CONNECT statements)

Security - Authentication , Authorities and

Aspects of database security
A database security plan should define:

Who is allowed access to the instance and/or
database

Where and how a user's password is verified

What authority level a user is granted

What commands a user is allowed to run

What data a user is allowed to read and/or alter

What database objects a user is allowed to
create, alter, and/or drop
Privileges

DB2 Authentication controls the following aspects :

Who is allowed access to the instance and/or DB

Where and how a user's password will be verified

DB2 authorities control the following aspects of a database
security plan:

What authority level a user is granted

What commands a user is allowed to run

What data a user is allowed to read and/or alter

What database objects a user is allowed to create, alter and/or drop

A privilege is the right to create or access a database object.

Database-level privileges — span all objects within the database

Object-level privileges — associated with a specific object

3 4

1
 Basic Client-Gateway-Host configuration Security - Authentication
DB2
Verify user's identity
clients

DB2 will pass all user IDs and passwords to the operating system or
DB2 server or DB2 on the host external security facility for verification.
Linux DB2 Connect Server
Set the authentication parameter at both the DB2 server and client to
(Gateway) control where authentication takes place

At the DB2 server, authentication type is defined in the
database manager configuration file (DBM CFG)

db2 "GET DBM CFG"
Windows

db2 "UPDATE DBM CFG USING AUTHENTICATION
CLIENT"

At the DB2 client, authentication type is specified when
cataloging a database
AIX
db2 "CATALOG DATABASE sample AT NODE mynode
AUTHENTICATION SERVER"

5 6

Authentication Types
Same as Trusted Clients versus Untrusted Clients

Authentication
Where Does Authentication
Takeoccurs
DATA_ENCRYPT at the server
Place?
Authentication occurs at
Clients that use an operating system that contains a tightly
workstation,

using
a Generic
authentication
Authentication the Same
occurs
server at as Security
method.
the server
workstation, using integrated security facility (for example, Windows NT, Windows
1. SERVER
Service

Application
Authentication Program
occurs 2000, all supported versions of UNIX, MVS, OS/390, VM, VSE, and
workstation,
using SERVER_ENCRYPT
Authentication
either the occurs
GSSPLUGIN
2. SERVER_ENCRYPT at
(GSS-API)
Interface the
In
either
Authentication
client the KERBEROS
occurs
workstation,
addition,
plug-in.
authentication
at the the
thisauthentication
method.
or
AS/400) are classified as trusted clients.
server

or the SERVER_ENCRYPT
at Same
the server
SERVER_ENCRYPT
workstation, as SERVER
workstation,
usingprovides
a
3. CLIENT using
method. the security facility
authentication type
Clients that use an operating system that does not provide an
security authentication
using

User the
facility security
that
Credentials method.
supports facility
the
4. KERBEROS
If theprovided
client's authentication

In
compatibility
by theaddition, typeall is
for down-level
client's user integrated security facility (for example, Windows 95, Windows
not Kerberos

Ifspecified, provided
the securityby protocol.
the server's
the client
operating
5. KRB_SERVER_ENCRYPT
ifserver
does data
encrypted
products the is
notthatreturns
encrypted
atdo
support
Kerberos
system. the
not aclient
anylistof the
support 98, and Windows Millennium Edition) are treated as untrusted
ofplug-ins
Supported
server-supported
found operating
the plug-ins
only
before
inDATA_ENCRYPTsystem.
on
it is to the
clients
passed
the server-supported
workstation
authentication before
service itand
from
is
is clients.
6. DATA_ENCRYPT
client. If not supports
servers that
authentication any
are
client one
using
to then
server
type.the and
plug-in list, then

sent client
unavailable, tries
to the server
By default, KERBEROS
the
this is theacts
server
Whenever an untrusted client attempts to access an instance or a
7. DATA_ENCRYPT_CMP
use KERBEROS
method. Windows method
2000,
from
If itsworkstation
do not
as if the Windows
server
support XP,
to client.
then it use or database, user authentication always takes place at the server. If
Windowsauthentication
.NET fortype
operating validation.
used
system.
8. GSSPLUGINSERVER_ENCRYPT method.
SERVER_ENCRYPT was trust_allclnts configuration parameter is set to
when an instance is first
9. GSS_SERVER_ENCRYPT specified DRDAONLY, only MVS, OS/390, VM, VSE, and OS/400 clients will
created. be treated as trusted clients.

7 8

2
 Authorities
9 grp1"
System Control (SYSCTRL) authority

SYSCTRL users can perform all administrative and
maintenance commands within the instance.

Some tasks that only SYSCTRL & SYSADM can do

Force users off the system.

Create or destroy (drop) a database.

Create, alter, or drop a table space.

Cannot access any data within the databases unless
they are granted the privileges.

A SYSADM user can assign SYSCTRL to a group by:
db2 "UPDATE DBM CFG USING SYSCTRL_GROUP
grp2"
11
System Administrator (SYSADM) authority

Highest level of administrative authority available.

Only SYSADM is allowed to perform these tasks:

Migrate a database from a previous version to DB2 Ver 9.

Modify the parameter values of the DBM CFG file
associated with an instance-including specifying which
groups have SYSDBA, SYSCTRL, SYSMAINT, and
SYSMON authority.

Give (grant) / Revoke DBADM and SECADM authority to
individual users and/or groups.

Ex. Granting SYSADM authority to the group grp1:

db2 "UPDATE DBM CFG USING SYSADM_GROUP
10
System Maintenance (SYSMAINT) authority

SYSMAINT users can issue a subset of commands allowed for
SYSCTRL authority — tasks that are considered “maintenance”
related like::

db2start/db2stop

db2 backup/restore/rollforward database

db2 runstats (against any table)

db2 update db cfg for database dbname

Users with SYSMAINT cannot create or drop databases or
tablespaces.

Cannot access any data within the databases.

A SYSADM user can assign SYSMAINT to a group by:
db2 "UPDATE DBM CFG USING SYSMAINT_GROUP
grp3" 12
3

Database Administrator (DBADM) authority

DBADM is a database-level authority and can be
assigned by SYSADM to both users and groups.

grant dbadm on database to user user1

grant dbadm on database to group group1

DBADM users have almost complete control over
the database but cannot perform maintenance or
administrative tasks

drop database -- drop/create
tablespace

backup/restore database -- update db cfg for database

Can perform:

create/drop table -- grant/revoke (any privilege)13
Load (LOAD) authority

LOAD authority is also considered a
database-level authority, and can therefore
be granted to both users and groups.

LOAD authority allows users

To issue the LOAD command against a table. The
LOAD command is typically used as a faster
alternative to insert or import commands when
populating a table with large amounts of data.

Specific privileges on the table may also be
required

Users with either SYSADM or DBADM
authority can grant or revoke LOAD authority
to users or groups. 14

System Monitoring Security Administrator

(SYSMON) authority
allow to take system
monitor snapshots for a
instance and/or for one or
more databases that fall
under that instance's control.

It is designed to allow special
users to monitor the
performance of a database
that contains sensitive data

No other authority provides a
that they most likely do not
have the right to view or
modify.
(SECADM) authority
allow special users to
configure various label-based
access control (LBAC)
elements (rules, labels and
policies) to restrict access to
one or more tables that
contain data to which they
most likely do not have
access themselves.
user with these abilities,
including SYSADM

15 16

4

17

CONNECT: Users can connect to the
Database Privileges database.

QUIESCE_CONNECT: Users can
access a database while it is in a
quiesced state.

IMPLICIT_SCHEMA: Users can
implicitly create schemas within the
database without using the CREATE
SCHEMA command.

CREATETAB: Users can create tables
within the database.

BINDADD: Users can create packages
in the database using the BIND
command.

CREATE_EXTERNAL_ROUTINE: Users can create a procedure for use
by applications and other users of the database.

CREATE_NOT_FENCED: Users can create unfenced (UDFs).

LOAD: Users can load data into a table
19
Privileges
18

USE allows a user to create tables and
indexes in the table space. The owner of
a table space automatically receives
USE privilege for that table space.

The USE privilege cannot be used for
SYSCATSPACE table space or any
temporary table space that might exist.
CREATEIN allows users to create
objects within the schema.

ALTERIN allows users to modify
definitions of objects within the
schema.

DROPIN Allows users to drop objects
within the schema.
20
5
Privileges - Tables & Views Privileges on other objects

21 22

Some Examples -

CONNECT TO sample USER Jane USING
password

GRANT SELECT ON TABLE inventory TO
john_doe WITH GRANT OPTION

GRANT SELECT, INSERT, UPDATE, DELETE ON
deptview TO USER user1, USER user2

GRANT REFERENCES (empid) ON TABLE
employee TO USER user1, GROUP group1

GRANT ALL ON TABLE payroll.employee TO
PUBLIC

GRANT UPDATE (address, home_phone) ON
TABLE emp_info TO PUBLIC

REVOKE ALL ON TABLE department FROM
23
user1, PUBLIC [Inaccessible views] 24

6
Label-Based Access Control (LBAC)

Provides DBA the ability to restrict read / write No LBAC LBAC ID SALARY

privileges on the row or column level of a table.

LBAC query 255 60000
SELECT * FROM EMP
WHERE SALARY >= 50000 100 50000

LBAC is set up by the security administrator by
50 70000
creating Security Policies. Each table may only User Level = 100
50 45000
be subscribed to one security policy, but the 60 30000
system may have as many security policies as Users with user level 100
can view the rows with ID <= 250 56000
you'd like. 100 and salary >= 50000 102 82000
(indicated in green)

To set up LBAC security to enable business rules: 100 54000

Define the security policies and labels and grant the With no LBAC user level 75 33000
security labels to the users imposed, users can view 253 46000
rows that meet the salary >=

Modify of the table including the security label column 90 83000
50000 qualifier
and attaching the security policy to it (shown in red) 200 78000
105 45000

25 26

Step 1. Create the security label

Example implementation of component

CREATE SECURITY LABEL COMPONENT J_DEPT
LBAC TREE (

Steps overview:
'HR_EXECUTIVE' ROOT,
1. Define the security policies and labels
'MAN_D11_E21' UNDER 'HR_EXECUTIVE'
a. Define the security label component

'A00' UNDER 'HR_EXECUTIVE',
b. Define the security policy
c. Define the security labels
'B01' UNDER 'HR_EXECUTIVE',

2. Create the protected SALES table by including a
'C01' UNDER 'HR_EXECUTIVE',

column that holds the security label and attaching the
'D11' UNDER 'MAN_D11_E21',
security policy to the table.
'D21' UNDER 'HR_EXECUTIVE',
3. Grant the appropriate security labels to users.
'E01' UNDER 'HR_EXECUTIVE',

'E11' UNDER 'HR_EXECUTIVE',

Requires SECADM authority to execute commands for
creating security policies and labels.
'E21' UNDER 'MAN_D11_E21‘ )
27 28

7
Step 2 & 3. Define the security policy and labels

CREATE SECURITY POLICY J_DEPT_POLICY Step 4. Grant rights based

COMPONENTS J_DEPT WITH DB2LBACRULES on labels
RESTRICT NOT AUTHORIZED WRITE SECURITY

db2 grant security label
LABEL
J_DEPT_POLICY.A00 to user Frank
CREATE SECURITY LABEL for read access
J_DEPT_POLICY.EXECUTIVE
COMPONENT J_DEPT 'HR_EXECUTIVE‘
db2 grant security label
J_DEPT_POLICY.MANAGE_D11_E21 to
CREATE SECURITY LABEL user Joe for all access
J_DEPT_POLICY.MANAGE_D11_E21
COMPONENT J_DEPT 'MAN_D11_E21‘
db2 grant security label
J_DEPT_POLICY.EXECUTIVE to user
CREATE SECURITY LABEL J_DEPT_POLICY.A00
Jane for all access
COMPONENT J_DEPT 'A00'
29 30

Step 5. Modify the EMP table

When modifying the EMP table, you must create an extra
column to store the security label. This is of type
"DB2SECURITYLABEL".
ALTER TABLE EMP
ADD COLUMN DEPT_TAG
DB2SECURITYLABEL
ADD SECURITY POLICY J_DEPT_POLICY

After alter with a user defined on the EXECUTIVE level,
all the security tags will have been added as EXECUTIVE.
To change this, you need to update

update emp set DEPT_TAG =
(SECLABEL_BY_NAME('J_DEPT_POLICY','E11'
)) where WORKDEPT='E11'

31 32

8
1) Which of the following is NOT a valid 2) In a client-server environment, which two
method of authentication that can be of the following can be used to verify
used by DB2 9? passwords?

A. System Catalog

A. SERVER

B. User ID/password file

B. SERVER_ENCRYPT

C. Client Operating System

C. CLIENT

D. Communications layer

D. DCS
E. Application Server

33 34

3 ) A table named DEPARTMENT has the following columns: 4) Assuming USER1 has no authorities or

DEPT_ID privileges, which of the following will allow

DEPT_NAME

MANAGER
USER1 to create a view named VIEW1 that

AVG_SALARY references two tables named TAB1 and TAB2?

Which of the following is the best way to prevent most users
from viewing AVG_SALARY data?
A. CREATEIN privilege on the database

A. Encrypt the table's data
B. REFERENCES privilege on TAB1 and TAB2

B. Create a view that does not contain the AVG_SALARY column

C. Revoke SELECT access for the AVG_SALARY column from

C. CREATE_TAB privilege on the database
users who should not see AVG_SALARY data
D. SELECT privilege on TAB1 and TAB2

D. Store AVG_SALARY data in a separate table and grant SELECT
privilege for that table to the appropriate users

35 36

9
5. On which two of the following database 6) After the following SQL statement is executed:
objects may the SELECT privilege be GRANT ALL PRIVILEGES ON TABLE
employee TO USER user1
controlled?
Assuming user USER1 has no other authorities or

A. Sequence privileges, which of the following actions is USER1

B. Nickname allowed to perform?

C. Schema
A. Drop an index on the EMPLOYEE table

B. Grant all privileges on the EMPLOYEE table to

D. View
other users

E. Index
C. Alter the table definition

D. Drop the EMPLOYEE table
37 38

7) A user wishing to invoke an SQL stored procedure
that queries a table must have which of the
following privileges?

A. CALL privilege on the procedure; SELECT
privilege on the table

B. CALL privilege on the procedure; REFERENCES
privilege on the table

C. EXECUTE privilege on the procedure; SELECT
privilege on the table

D. EXECUTE privilege on the procedure;
REFERENCES privilege on the table
39
8) User USER1 wants to utilize an alias to remove
rows from a table. Assuming USER1 has no
authorities or privileges, which of the following
privileges are needed?

A. DELETE privilege on the table

B. DELETE privilege on the alias

C. DELETE privilege on the alias;
REFERENCES privilege on the table

D. REFERENCES privilege on the alias;
DELETE privilege on the table
40

10
9) Which of the following statements allows user
USER1 to take the ability to create packages in a
database named SAMPLE away from user USER2?

A. REVOKE CONNECT ON DATABASE FROM user2

B. REVOKE CREATETAB ON DATABASE FROM
user2

C. REVOKE BIND ON DATABASE FROM user2

D. REVOKE BINDADD ON DATABASE FROM user2
41
11) Which of the following will provide user USER1 and all
members of the group GROUP1 with the ability to perform
DML, but no other operations on table TABLE1?

A. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE
table1 TO user1 AND group1

B. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE
table1 TO USER user1, GROUP group1

C. GRANT ALL PRIVILEGES EXCEPT ALTER, INDEX,
REFERENCES ON TABLE table1 TO USER user1, GROUP
group1

D. GRANT CONTROL ON TABLE table1 TO user1 AND
group1
43
10) Which of the following will allow user USER1 to
change the comment associated with a table named
TABLE1?

A. GRANT UPDATE ON TABLE table1 TO user1

B. GRANT CONTROL ON TABLE table1 TO user1

C. GRANT ALTER ON TABLE table1 TO user1

D. GRANT REFERENCES ON TABLE table1 TO user1
42
12) USER1 is the owner of TABLE1. Assuming USER1
only holds privileges for TABLE1, which of the
following is the best way to remove all privileges
USER1 holds?

A. REVOKE CONTROL ON table1 FROM user1

B. REVOKE ALL PRIVILEGES ON table1 FROM user1

C. REVOKE CONTROL ON table1 FROM user1;
REVOKE ALL PRIVILEGES ON table1 FROM user1;

D. REVOKE CONTROL, ALL PRIVILEGES ON table1
FROM user1
44
11
 Grazie Hebrew
Italian

Gracias
Spanish
Russian

Obrigado

Thank
Portuguese

Arabic

A. Encrypt the table's data Merci

French

Traditional Chinese
You English
Danke
German

Thai
Simplified Chinese Tamil

Japanese Korean

45

12