This chapter discussed a number of topics relating to accessing data: security with the subsystem, with data sets, and within DB2. Subsystem security is handled in a number of ways, such as via IMS, CICS, Kerberos, and RACF. Securing access at the data set level also needs to be considered in some situations, as DB2 stores its data in individual data sets that can be accessed outside of DB2. After discussing primary and secondary authorization IDs and how they are assigned, we talked about several of the authorization levels within DB2: SYSADM, SYSCNTL, DBADM, DBCNTL, PACKADM, and so on. We looked at the types of privileges each authority possesses. Ownership of objects also comes with inherited authorities and privileges that can also be granted to other authorization IDs. We examined the granting and revoking of database object privileges, using the GRANT and REVOKE SQL statements. Finally, we discussed the DB2 audit trace. This trace allows one to carefully monitor critical tables to see who is manipulating the data or, in some very sensitive cases, who is simply trying to access the data. All of these levels of security can work together in order to keep data and subsystem safe. |