Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3 4
1
Basic Client-Gateway-Host configuration Security - Authentication
DB2 Verify user's identity
clients
DB2 will pass all user IDs and passwords to the operating system or
DB2 server or DB2 on the host external security facility for verification.
Linux DB2 Connect Server Set the authentication parameter at both the DB2 server and client to
(Gateway) control where authentication takes place
At the DB2 server, authentication type is defined in the
database manager configuration file (DBM CFG)
db2 "GET DBM CFG"
Windows
db2 "UPDATE DBM CFG USING AUTHENTICATION
CLIENT"
At the DB2 client, authentication type is specified when
cataloging a database
AIX db2 "CATALOG DATABASE sample AT NODE mynode
AUTHENTICATION SERVER"
5 6
7 8
2
Authorities System Administrator (SYSADM) authority
3
Load (LOAD) authority
Database Administrator (DBADM) authority
LOAD authority is also considered a
DBADM is a database-level authority and can be
database-level authority, and can therefore
assigned by SYSADM to both users and groups.
be granted to both users and groups.
grant dbadm on database to user user1
LOAD authority allows users
grant dbadm on database to group group1
To issue the LOAD command against a table. The
DBADM users have almost complete control over LOAD command is typically used as a faster
the database but cannot perform maintenance or alternative to insert or import commands when
administrative tasks populating a table with large amounts of data.
drop database -- drop/create Specific privileges on the table may also be
tablespace required
backup/restore database -- update db cfg for database Users with either SYSADM or DBADM
Can perform: authority can grant or revoke LOAD authority
create/drop table -- grant/revoke (any privilege)13 to users or groups. 14
15 16
4
Privileges
17 18
5
Privileges - Tables & Views Privileges on other objects
21 22
Some Examples -
CONNECT TO sample USER Jane USING
password
GRANT SELECT ON TABLE inventory TO
john_doe WITH GRANT OPTION
GRANT SELECT, INSERT, UPDATE, DELETE ON
deptview TO USER user1, USER user2
GRANT REFERENCES (empid) ON TABLE
employee TO USER user1, GROUP group1
GRANT ALL ON TABLE payroll.employee TO
PUBLIC
GRANT UPDATE (address, home_phone) ON
TABLE emp_info TO PUBLIC
REVOKE ALL ON TABLE department FROM
23
user1, PUBLIC [Inaccessible views] 24
6
Label-Based Access Control (LBAC)
Provides DBA the ability to restrict read / write No LBAC LBAC ID SALARY
25 26
7
Step 2 & 3. Define the security policy and labels
31 32
8
1) Which of the following is NOT a valid 2) In a client-server environment, which two
method of authentication that can be of the following can be used to verify
used by DB2 9? passwords?
A. System Catalog
A. SERVER
B. User ID/password file
B. SERVER_ENCRYPT
C. Client Operating System
C. CLIENT
D. Communications layer
D. DCS E. Application Server
33 34
3 ) A table named DEPARTMENT has the following columns: 4) Assuming USER1 has no authorities or
DEPT_ID privileges, which of the following will allow
DEPT_NAME
MANAGER
USER1 to create a view named VIEW1 that
AVG_SALARY references two tables named TAB1 and TAB2?
Which of the following is the best way to prevent most users
from viewing AVG_SALARY data? A. CREATEIN privilege on the database
A. Encrypt the table's data B. REFERENCES privilege on TAB1 and TAB2
B. Create a view that does not contain the AVG_SALARY column
C. Revoke SELECT access for the AVG_SALARY column from
C. CREATE_TAB privilege on the database
users who should not see AVG_SALARY data D. SELECT privilege on TAB1 and TAB2
D. Store AVG_SALARY data in a separate table and grant SELECT
privilege for that table to the appropriate users
35 36
9
5. On which two of the following database 6) After the following SQL statement is executed:
objects may the SELECT privilege be GRANT ALL PRIVILEGES ON TABLE
employee TO USER user1
controlled?
Assuming user USER1 has no other authorities or
A. Sequence privileges, which of the following actions is USER1
B. Nickname allowed to perform?
C. Schema A. Drop an index on the EMPLOYEE table
B. Grant all privileges on the EMPLOYEE table to
D. View
other users
E. Index C. Alter the table definition
D. Drop the EMPLOYEE table
37 38
7) A user wishing to invoke an SQL stored procedure 8) User USER1 wants to utilize an alias to remove
that queries a table must have which of the rows from a table. Assuming USER1 has no
following privileges? authorities or privileges, which of the following
privileges are needed?
A. CALL privilege on the procedure; SELECT
privilege on the table A. DELETE privilege on the table
B. CALL privilege on the procedure; REFERENCES B. DELETE privilege on the alias
privilege on the table C. DELETE privilege on the alias;
C. EXECUTE privilege on the procedure; SELECT REFERENCES privilege on the table
privilege on the table D. REFERENCES privilege on the alias;
D. EXECUTE privilege on the procedure; DELETE privilege on the table
REFERENCES privilege on the table
39 40
10
9) Which of the following statements allows user 10) Which of the following will allow user USER1 to
USER1 to take the ability to create packages in a change the comment associated with a table named
database named SAMPLE away from user USER2? TABLE1?
A. REVOKE CONNECT ON DATABASE FROM user2
A. GRANT UPDATE ON TABLE table1 TO user1
B. REVOKE CREATETAB ON DATABASE FROM
user2 B. GRANT CONTROL ON TABLE table1 TO user1
C. REVOKE BIND ON DATABASE FROM user2 C. GRANT ALTER ON TABLE table1 TO user1
D. REVOKE BINDADD ON DATABASE FROM user2
D. GRANT REFERENCES ON TABLE table1 TO user1
41 42
11) Which of the following will provide user USER1 and all 12) USER1 is the owner of TABLE1. Assuming USER1
members of the group GROUP1 with the ability to perform
only holds privileges for TABLE1, which of the
DML, but no other operations on table TABLE1?
following is the best way to remove all privileges
A. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE USER1 holds?
table1 TO user1 AND group1
B. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE A. REVOKE CONTROL ON table1 FROM user1
table1 TO USER user1, GROUP group1 B. REVOKE ALL PRIVILEGES ON table1 FROM user1
C. GRANT ALL PRIVILEGES EXCEPT ALTER, INDEX, C. REVOKE CONTROL ON table1 FROM user1;
REFERENCES ON TABLE table1 TO USER user1, GROUP REVOKE ALL PRIVILEGES ON table1 FROM user1;
group1
D. REVOKE CONTROL, ALL PRIVILEGES ON table1
D. GRANT CONTROL ON TABLE table1 TO user1 AND
group1 FROM user1
43 44
11
Grazie Hebrew
Italian
Gracias
Spanish
Russian
Obrigado
Thank
Portuguese
Arabic
Traditional Chinese
You English
Danke
German
Thai
Simplified Chinese Tamil
Japanese Korean
45
12