Security issues are important to the DB2 Administrator from the moment the product is installed. During the installation process, DB2 requires a user name, a group name, and a password.
To control the proliferation of user names and group names that are able to modify the instance environment, you should change the default privileges granted to users after the installation because during the installation process, System Administration (SYSADM) privileges are granted by default to the users on the specific operating system.
You should create new groups and passwords before creating the instances where the databases will reside.
You should add only the required user(s) to the SYSADM group.
To control the scope and authority of the actions that can be performed by user-defined functions (UDFs) and stored procedures, you should create a new user name in which fenced UDFs will execute differently than those of the DB2 instance or other database users.
Because SYSADM privileges are the most powerful set of privileges available within DB2, you must check the following guidelines before creating any groups or user IDs:
Create a separate instance owner group per instance.
Create an instance owner user ID and define this user ID as a member of the instance owner group. For UNIX, you specify the instance owner when you create the instance.
Do not add new users to the instance owner group. (It is sometimes a good idea to have two or three, but not more than that.)
The user ID should always be associated with a password to enforce user authentication.
Do not use the instance owner user ID as the fenced ID.
On UNIX, user names must be in lower case.
For example, suppose you already created a user ID dsnow under a group called dntsadm (this is the DB2 instance owner ID and instance owner group), then later you decided to grant SYSADM authority to tphan. First, you must add the user tphan to the group dntsadm, then update the dbm cfg SYSADM_GROUP to dntsadm as needed (on UNIX, the database manager configuration for SYSADM_GROUP is automatically set to the instance owner group at instance creation time):
cat /etc/group | grep dntsadm dntsadm:!:5000:dsnow Now the system administrator just added tphan to the group dntsadm cat /etc/group | grep dntsadm dntsadm:!:5000:dsnow,tphan db2 get dbm cfg | grep SYS SYSADM group name (SYSADM_GROUP) = SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = Priority of agents (AGENTPRI) = SYSTEM db2 update dbm cfg using SYSADM_GROUP dntsadm db2 get dbm cfg | grep SYS SYSADM group name (SYSADM_GROUP) = DNTSADM SYSCTRL group name (SYSCTRL_GROUP) = SYSMAINT group name (SYSMAINT_GROUP) = Priority of agents (AGENTPRI) = SYSTEM
Table 4.1 shows a list of group names.
DB2 Instance Owner Group
DB2 Administration Server Group
DB2 Fence Administration Group
DB2 DBA Group
DB2 User Group for Application abc
DB2 User Group for Application xyz
Table 4.2 shows a list of user names.
Group names can contain up to 8 bytes.
User IDs on UNIX-based systems can contain up to 8 characters.
User names on Windows can contain up to 30 characters.
When not using Client authentication, non-Windows 32-bit clients connecting to Windows NT, Windows 2000, Windows XP, and Windows .NET with user names longer than 8 characters are supported when the user name and password are specified explicitly.
User IDs cannot:
Be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL reserved word.
Begin with IBM, SQL, or SYS.
Include accented characters.
Windows .NET Server is also known as Windows 2003 Server.