Selecting User Names and Group Names for DB2 Installation


Selecting User Names and Group Names for DB2 Installation

Security issues are important to the DB2 Administrator from the moment the product is installed. During the installation process, DB2 requires a user name, a group name , and a password.

Recommendations

To control the proliferation of user names and group names that are able to modify the instance environment, you should change the default privileges granted to users after the installation because during the installation process, System Administration (SYSADM) privileges are granted by default to the users on the specific operating system.

  • You should create new groups and passwords before creating the instances where the databases will reside.

  • You should add only the required user(s) to the SYSADM group.

  • To control the scope and authority of the actions that can be performed by user-defined functions (UDFs) and stored procedures, you should create a new user name in which fenced UDFs will execute differently than those of the DB2 instance or other database users.

  • Because SYSADM privileges are the most powerful set of privileges available within DB2, you must check the following guidelines before creating any groups or user IDs:

    • Create a separate instance owner group per instance.

    • Create an instance owner user ID and define this user ID as a member of the instance owner group. For UNIX, you specify the instance owner when you create the instance.

    • Do not add new users to the instance owner group. (It is sometimes a good idea to have two or three, but not more than that.)

    • The user ID should always be associated with a password to enforce user authentication.

    • Do not use the instance owner user ID as the fenced ID.

NOTE

On UNIX, user names must be in lower case.


For example, suppose you already created a user ID dsnow under a group called dntsadm (this is the DB2 instance owner ID and instance owner group), then later you decided to grant SYSADM authority to tphan . First, you must add the user tphan to the group dntsadm , then update the dbm cfg SYSADM_GROUP to dntsadm as needed (on UNIX, the database manager configuration for SYSADM_GROUP is automatically set to the instance owner group at instance creation time):

  cat /etc/group  grep dntsadm   dntsadm:!:5000:dsnow   Now the system administrator just added tphan to the group    dntsadm    cat /etc/group  grep dntsadm   dntsadm:!:5000:dsnow,tphan   db2 get dbm cfg  grep SYS   SYSADM group name                    (SYSADM_GROUP)    =   SYSCTRL group name                   (SYSCTRL_GROUP)   =   SYSMAINT group name                  (SYSMAINT_GROUP)  =   Priority of agents                   (AGENTPRI)        = SYSTEM   db2 update dbm cfg using SYSADM_GROUP dntsadm   db2 get dbm cfg  grep SYS   SYSADM group name                    (SYSADM_GROUP)   = DNTSADM   SYSCTRL group name                   (SYSCTRL_GROUP)  =   SYSMAINT group name                  (SYSMAINT_GROUP) =   Priority of agents                   (AGENTPRI)       = SYSTEM  

Table 4.1 shows a list of group names.

Table 4.1. Group Names Defined

Group Name

GID

Description

dntsadm

5000

DB2 Instance Owner Group

dntsas

5100

DB2 Administration Server Group

dntfadm

5200

DB2 Fence Administration Group

dntsdba

5300

DB2 DBA Group

dntabc

5400

DB2 User Group for Application abc

dntxyz

5500

DB2 User Group for Application xyz

Table 4.2 shows a list of user names.

Table 4.2. User Names Defined

User Name

UID

Default Shell

Home Directory

Group Primary

Group Secondary

dsnow

8000

/usr/bin/ksh

/dbhome/dsnow

dntsadm

dntsas, dntfadm

tphan

8001

/usr/bin/ksh

/dbhome/tphan

dntsadm

 

dntas

8100

/usr/bin/ksh

/dbhome/dntas

dntsas

 

dntudf

8200

/usr/bin/ksh

/dbhome/dntudf

dntfadm

 

dntdba

8300

/usr/bin/ksh

/dbhome/dntdba

dntsdba

 

abcuser1

8400

/usr/bin/ksh

/apphome/abcuser1

dntabc

 

xyzuser1

8500

/usr/bin/ksh

/apphome/xyzuser1

dntxyz

 

User and Group Naming Rules

  • Group names can contain up to 8 bytes.

  • User IDs on UNIX-based systems can contain up to 8 characters .

  • User names on Windows can contain up to 30 characters.

  • When not using Client authentication, non-Windows 32-bit clients connecting to Windows NT, Windows 2000, Windows XP, and Windows .NET with user names longer than 8 characters are supported when the user name and password are specified explicitly.

  • User IDs cannot:

    • Be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL reserved word.

    • Begin with IBM, SQL, or SYS.

    • Include accented characters.

NOTE

Windows .NET Server is also known as Windows 2003 Server.




Advanced DBA Certification Guide and Reference for DB2 UDB v8 for Linux, Unix and Windows
Advanced DBA Certification Guide and Reference for DB2 Universal Database v8 for Linux, UNIX, and Windows
ISBN: 0130463884
EAN: 2147483647
Year: 2003
Pages: 121

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net