Section 10.9. Summary

10.9. Summary

This chapter introduced the DB2 security model. To connect to a DB2 database, user and password authentication is performed outside of DB2 using the security facility provided by the operating system of the DB2 server, by Kerberos, or through customized security plug-ins. Security plug-ins are loadable library modules that implement security mechanisms to be used for user authentication.

Setting the authentication type at the DB2 server and client determines where authentication will take place. At the DB2 server, authentication type is defined in the Database Manager Configuration file. DB2 clients specify an authentication type for each database it connects to when the database is being cataloged.

Once a user is successfully authenticated, the user must have appropriate database authorities and/or privileges before he or she can perform database tasks and operations. Database authorities are required for a user to perform database administration tasks such as database creation or database backup.

Database privileges for various types of database objects are granted and revoked through the GRANT and REVOKE statements.

There are special considerations for a DB2 server on Windows configured in a Windows domain, for example, for local or global group lookup. DB2 lets you use the registry variable DB2_GRP_ LOOKUP to identify where the user is being enumerated for group resolution.