You are on page 1of 45

IBM DB2 9

Section -2) Security

Garima Singh IT Specialist – IBM Academic Initiative Garima.singh@webteklabs.com

© 2008 IBM Corporation

IBM DB2 9

Section 2 - Security (11%)
 Knowledge of restricting data access  Knowledge of different authorities and privileges available  Knowledge of encryption options available (data and network)  Given a DCL SQL statement, ability to identify results (GRANT, REVOKE, CONNECT statements)
2

IBM DB2 9

Aspects of database security
A database security plan should define:  Who is allowed access to the instance and/or database  Where and how a user's password is verified  What authority level a user is granted  What commands a user is allowed to run  What data a user is allowed to read and/or alter  What database objects a user is allowed to create, alter, and/or drop
3

IBM DB2 9

Security - Authentication , Authorities and Privileges
 DB2 Authentication controls the following aspects :
- Who is allowed access to the instance and/or DB - Where and how a user's password will be verified

 DB2 authorities control the following aspects of a database security plan:
- What authority level a user is granted - What commands a user is allowed to run

- What data a user is allowed to read and/or alter
- What database objects a user is allowed to create, alter and/or drop

 A privilege is the right to create or access a database object.
- Database-level privileges — span all objects within the database - Object-level privileges — associated with a specific object
4

IBM DB2 9 Basic Client-Gateway-Host configuration DB2 clients DB2 server or DB2 Connect Server (Gateway) DB2 on the host Linux Windows AIX 5 .

At the DB2 client. authentication type is defined in the database manager configuration file (DBM CFG)  db2 "GET DBM CFG"  db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT" .IBM DB2 9 Security . authentication type is specified when cataloging a database  db2 "CATALOG DATABASE sample AT NODE mynode AUTHENTICATION SERVER" 6 .Authentication  Verify user's identity  DB2 will pass all user IDs and passwords to the operating system or external security facility for verification.  Set the authentication parameter at both the DB2 server and client to control where authentication takes place .At the DB2 server.

and acts that any one server authenticationserver is plug-in serversByclient to server the list. created. server workstation. this method. using the that supports the authentication type user CLIENT If the client'sUser Credentials security facilityaddition. the returns operating of server-supported plug-insbefore and Supported only on passed is operating system. SERVER_ENCRYPT operating SERVER_ENCRYPT was when an instance is first GSSPLUGIN specified . does not is the a support ifsystem.IBM DB2 9 Authentication Types Same as  1. 4. method.using a Same as workstation. client workstation.products thatencrypted the security do not client data support list clientencrypted protocol. using  Generic the serverusing authentication as  Authentication a Same method. thein the server-supported DATA_ENCRYPT plug-ins foundauthenticationclients is KRB_SERVER_ENCRYPT before it isto the it from workstation service client. facility using authentication type provides the security method. do 2000. 7. as if the Windows it use authentication type used DATA_ENCRYPT_CMP Windows . Interface (GSS-API)server SERVER authentication SERVER_ENCRYPT at SERVER_ENCRYPT or the SERVER_ENCRYPT authentication the plug-in. If itsworkstation forto client. 6. using eitherKERBEROS or the  Authentication occursoccurs at theIn addition.server validation.  Authentication occurs SERVER Service Application Program GSSPLUGIN SERVER_ENCRYPT  either the the Authentication at the workstation. allfacility authentication down-level In security compatibilityclient's is provided by the for providedKerberosserver's KERBEROSIf the Kerberos serverbyat theany of the not specified. KERBEROS sent default. If not supportsaretriestype. or from method.NETmethod. GSS_SERVER_ENCRYPT 7  Authentication occurs at the server DATA_ENCRYPT occurs  Authentication Where Does Authentication Take Place? at workstation. 2. 3.thethe to the this  DATA_ENCRYPT use KERBEROS method Windows not support thenXP. 5. then client usingthen unavailable. occurs at Security the server workstation. 9. system. 8.

Windows NT. all supported versions of UNIX. VM. only MVS. and Windows Millennium Edition) are treated as untrusted clients. MVS. and AS/400) are classified as trusted clients.  Clients that use an operating system that does not provide an integrated security facility (for example. Windows 2000.  Whenever an untrusted client attempts to access an instance or a database. VM. OS/390. user authentication always takes place at the server. Windows 95.IBM DB2 9 Trusted Clients versus Untrusted Clients  Clients that use an operating system that contains a tightly integrated security facility (for example. VSE. OS/390. 8 . and OS/400 clients will be treated as trusted clients. If trust_allclnts configuration parameter is set to DRDAONLY. VSE. Windows 98.

IBM DB2 9 Authorities 9 .

SYSCTRL.Migrate a database from a previous version to DB2 Ver 9. Only SYSADM is allowed to perform these tasks: . SYSMAINT. Granting SYSADM authority to the group grp1: . Ex.db2 "UPDATE DBM CFG USING SYSADM_GROUP grp1" 10 . and SYSMON authority.IBM DB2 9 System Administrator (SYSADM) authority  Highest level of administrative authority available.Give (grant) / Revoke DBADM and SECADM authority to individual users and/or groups. .Modify the parameter values of the DBM CFG file associated with an instance-including specifying which groups have SYSDBA. .

Some tasks that only SYSCTRL & SYSADM can do -Force users off the system. or drop a table space. A SYSADM user can assign SYSCTRL to a group by: db2 "UPDATE DBM CFG USING SYSCTRL_GROUP grp2" 11 . alter.IBM DB2 9 System Control (SYSCTRL) authority SYSCTRL users can perform all administrative and maintenance commands within the instance. Cannot access any data within the databases unless they are granted the privileges. -Create. -Create or destroy (drop) a database.

db2start/db2stop .IBM DB2 9 System Maintenance (SYSMAINT) authority  SYSMAINT users can issue a subset of commands allowed for SYSCTRL authority — tasks that are considered ―maintenance‖ related like:: .db2 backup/restore/rollforward database .db2 update db cfg for database dbname  Users with SYSMAINT cannot create or drop databases or tablespaces.  A SYSADM user can assign SYSMAINT to a group by: db2 "UPDATE DBM CFG USING SYSMAINT_GROUP grp3" 12 .  Cannot access any data within the databases.db2 runstats (against any table) .

create/drop table 13 -.update db cfg for database Can perform: .IBM DB2 9 Database Administrator (DBADM) authority DBADM is a database-level authority and can be assigned by SYSADM to both users and groups.backup/restore database -. .grant/revoke (any privilege) .grant dbadm on database to user user1 .grant dbadm on database to group group1 DBADM users have almost complete control over the database but cannot perform maintenance or administrative tasks .drop database .drop/create tablespace -.

The LOAD command is typically used as a faster alternative to insert or import commands when populating a table with large amounts of data.Specific privileges on the table may also be required Users with either SYSADM or DBADM authority can grant or revoke LOAD authority to users or groups. 14 .IBM DB2 9 Load (LOAD) authority LOAD authority is also considered a database-level authority.To issue the LOAD command against a table. . and can therefore be granted to both users and groups. LOAD authority allows users .

IBM DB2 9 15 .

have the right to view or including SYSADM modify.  It is designed to allow special users to monitor the performance of a database that contains sensitive data  No other authority provides a that they most likely do not user with these abilities.IBM DB2 9 System Monitoring (SYSMON) authority allow to take system monitor snapshots for a instance and/or for one or more databases that fall under that instance's control. 16 . Security Administrator (SECADM) authority allow special users to configure various label-based access control (LBAC) elements (rules. labels and policies) to restrict access to one or more tables that contain data to which they most likely do not have access themselves.

IBM DB2 9 17 .

IBM DB2 9 Privileges 18 .

 CREATE_EXTERNAL_ROUTINE: Users can create a procedure for use by applications and other users of the database.  LOAD: Users can load data into a table 19 .  QUIESCE_CONNECT: Users can access a database while it is in a quiesced state.IBM DB2 9 Database Privileges  CONNECT: Users can connect to the database.  BINDADD: Users can create packages in the database using the BIND command.  IMPLICIT_SCHEMA: Users can implicitly create schemas within the database without using the CREATE SCHEMA command.  CREATE_NOT_FENCED: Users can create unfenced (UDFs).  CREATETAB: Users can create tables within the database.

 The USE privilege cannot be used for SYSCATSPACE table space or any temporary table space that might exist. ALTERIN allows users to modify definitions of objects within the schema. DROPIN Allows users to drop objects within the schema.IBM DB2 9  USE allows a user to create tables and indexes in the table space. 20 . CREATEIN allows users to create objects within the schema. The owner of a table space automatically receives USE privilege for that table space.

Tables & Views 21 .IBM DB2 9 Privileges .

IBM DB2 9 Privileges on other objects 22 .

IBM DB2 9 23 .

IBM DB2 9 Some Examples  CONNECT TO sample USER Jane USING password  GRANT SELECT ON TABLE inventory TO john_doe WITH GRANT OPTION  GRANT SELECT. home_phone) ON TABLE emp_info TO PUBLIC  REVOKE ALL ON TABLE department FROM user1. DELETE ON deptview TO USER user1. UPDATE. GROUP group1  GRANT ALL ON TABLE payroll. PUBLIC [Inaccessible views] 24 .employee TO PUBLIC  GRANT UPDATE (address. INSERT. USER user2  GRANT REFERENCES (empid) ON TABLE employee TO USER user1.

Define the security policies and labels and grant the security labels to the users . To set up LBAC security to enable business rules: .IBM DB2 9 Label-Based Access Control (LBAC) Provides DBA the ability to restrict read / write privileges on the row or column level of a table. Each table may only be subscribed to one security policy. but the system may have as many security policies as you'd like. LBAC is set up by the security administrator by creating Security Policies.Modify of the table including the security label column and attaching the security policy to it 25 .

users can view rows that meet the salary >= 50000 qualifier (shown in red) .IBM DB2 9 LBAC query SELECT * FROM EMP WHERE SALARY >= 50000 User Level = 100 No LBAC LBAC ID SALARY 255 100 50 50 60 250 102 100 75 253 90 200 105 26 60000 50000 70000 45000 30000 56000 82000 54000 33000 46000 83000 78000 45000 Users with user level 100 can view the rows with ID <= 100 and salary >= 50000 (indicated in green) With no LBAC user level imposed.

Define the security policy c. 27 .  Requires SECADM authority to execute commands for creating security policies and labels. Define the security policies and labels a. Create the protected SALES table by including a column that holds the security label and attaching the security policy to the table. Define the security label component b.IBM DB2 9 Example implementation of LBAC  Steps overview: 1. 3. Define the security labels 2. Grant the appropriate security labels to users.

'E01' UNDER 'HR_EXECUTIVE'.'B01' UNDER 'HR_EXECUTIVE'.'MAN_D11_E21' UNDER 'HR_EXECUTIVE' . .'D21' UNDER 'HR_EXECUTIVE'. . Create the security label component  CREATE SECURITY LABEL COMPONENT J_DEPT TREE ( .'E11' UNDER 'HR_EXECUTIVE'. .'HR_EXECUTIVE' ROOT. .'A00' UNDER 'HR_EXECUTIVE'.'D11' UNDER 'MAN_D11_E21'. .IBM DB2 9 Step 1.'C01' UNDER 'HR_EXECUTIVE'. .'E21' UNDER 'MAN_D11_E21‘ ) 28 . . .

IBM DB2 9 Step 2 & 3.MANAGE_D11_E21 COMPONENT J_DEPT 'MAN_D11_E21‘ CREATE SECURITY LABEL J_DEPT_POLICY. Define the security policy and labels CREATE SECURITY POLICY J_DEPT_POLICY COMPONENTS J_DEPT WITH DB2LBACRULES RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL CREATE SECURITY LABEL J_DEPT_POLICY.EXECUTIVE COMPONENT J_DEPT 'HR_EXECUTIVE‘ CREATE SECURITY LABEL J_DEPT_POLICY.A00 COMPONENT J_DEPT 'A00' 29 .

EXECUTIVE to user Jane for all access 30 .MANAGE_D11_E21 to user Joe for all access db2 grant security label J_DEPT_POLICY.IBM DB2 9 Step 4.A00 to user Frank for read access db2 grant security label J_DEPT_POLICY. Grant rights based on labels db2 grant security label J_DEPT_POLICY.

all the security tags will have been added as EXECUTIVE. ALTER TABLE EMP ADD COLUMN DEPT_TAG DB2SECURITYLABEL ADD SECURITY POLICY J_DEPT_POLICY  After alter with a user defined on the EXECUTIVE level. you need to update  update emp set DEPT_TAG = (SECLABEL_BY_NAME('J_DEPT_POLICY'. To change this. you must create an extra column to store the security label.'E11')) where WORKDEPT='E11' 31 . Modify the EMP table  When modifying the EMP table.IBM DB2 9 Step 5. This is of type "DB2SECURITYLABEL".

IBM DB2 9 32 .

SERVER B. CLIENT D. DCS 33 . SERVER_ENCRYPT C.IBM DB2 9 1) Which of the following is NOT a valid method of authentication that can be used by DB2 9? A.

Communications layer E. User ID/password file C.IBM DB2 9 2) In a client-server environment. Client Operating System D. Application Server 34 . which two of the following can be used to verify passwords? A. System Catalog B.

IBM DB2 9  3 ) A table named DEPARTMENT has the following columns: .DEPT_NAME .DEPT_ID .AVG_SALARY  Which of the following is the best way to prevent most users from viewing AVG_SALARY data?  A. Create a view that does not contain the AVG_SALARY column  C. Encrypt the table's data  B. Revoke SELECT access for the AVG_SALARY column from users who should not see AVG_SALARY data  D.MANAGER . Store AVG_SALARY data in a separate table and grant SELECT privilege for that table to the appropriate users 35 .

IBM DB2 9 4) Assuming USER1 has no authorities or privileges. CREATE_TAB privilege on the database D. REFERENCES privilege on TAB1 and TAB2 C. SELECT privilege on TAB1 and TAB2 36 . which of the following will allow USER1 to create a view named VIEW1 that references two tables named TAB1 and TAB2? A. CREATEIN privilege on the database B.

Sequence B. On which two of the following database objects may the SELECT privilege be controlled? A. Schema D. Nickname C.IBM DB2 9 5. Index 37 . View E.

Alter the table definition D. which of the following actions is USER1 allowed to perform? A.IBM DB2 9 6) After the following SQL statement is executed: GRANT ALL PRIVILEGES ON TABLE employee TO USER user1 Assuming user USER1 has no other authorities or privileges. Drop an index on the EMPLOYEE table B. Drop the EMPLOYEE table 38 . Grant all privileges on the EMPLOYEE table to other users C.

REFERENCES privilege on the table C. REFERENCES privilege on the table 39 . CALL privilege on the procedure.IBM DB2 9 7) A user wishing to invoke an SQL stored procedure that queries a table must have which of the following privileges? A. EXECUTE privilege on the procedure. EXECUTE privilege on the procedure. CALL privilege on the procedure. SELECT privilege on the table B. SELECT privilege on the table D.

REFERENCES privilege on the alias. DELETE privilege on the alias. REFERENCES privilege on the table D. DELETE privilege on the table 40 . DELETE privilege on the alias C. DELETE privilege on the table B. Assuming USER1 has no authorities or privileges.IBM DB2 9 8) User USER1 wants to utilize an alias to remove rows from a table. which of the following privileges are needed? A.

REVOKE BIND ON DATABASE FROM user2 D. REVOKE CREATETAB ON DATABASE FROM user2 C. REVOKE CONNECT ON DATABASE FROM user2 B. REVOKE BINDADD ON DATABASE FROM user2 41 .IBM DB2 9 9) Which of the following statements allows user USER1 to take the ability to create packages in a database named SAMPLE away from user USER2? A.

GRANT CONTROL ON TABLE table1 TO user1 C. GRANT REFERENCES ON TABLE table1 TO user1 42 .IBM DB2 9 10) Which of the following will allow user USER1 to change the comment associated with a table named TABLE1? A. GRANT ALTER ON TABLE table1 TO user1 D. GRANT UPDATE ON TABLE table1 TO user1 B.

SELECT ON TABLE table1 TO user1 AND group1  B. UPDATE. GRANT INSERT. DELETE. GRANT CONTROL ON TABLE table1 TO user1 AND group1 43 . REFERENCES ON TABLE table1 TO USER user1. GROUP group1  C. GRANT INSERT. INDEX. SELECT ON TABLE table1 TO USER user1.IBM DB2 9 11) Which of the following will provide user USER1 and all members of the group GROUP1 with the ability to perform DML. DELETE. GRANT ALL PRIVILEGES EXCEPT ALTER. but no other operations on table TABLE1?  A. GROUP group1  D. UPDATE.

REVOKE CONTROL. REVOKE CONTROL ON table1 FROM user1 B. which of the following is the best way to remove all privileges USER1 holds? A. ALL PRIVILEGES ON table1 FROM user1 44 .IBM DB2 9 12) USER1 is the owner of TABLE1. REVOKE ALL PRIVILEGES ON table1 FROM user1 C. REVOKE ALL PRIVILEGES ON table1 FROM user1. D. Assuming USER1 only holds privileges for TABLE1. REVOKE CONTROL ON table1 FROM user1.

Encrypt the table's English Thai Obrigado Portuguese Merci French Danke Traditional Chinese German Simplified Chinese Tamil Japanese Korean 45 .IBM DB2 9 Grazie Italian Russian Hebrew Gracias Spanish Arabic Thank Youdata A.