Selecting User Names and Group Names for DB2 Installation

Security issues are important to the DB2 Administrator from the moment the product is installed. During the installation process, DB2 requires a user name, a group name, and a password.

Recommendations

To control the proliferation of user names and group names that are able to modify the instance environment, you should change the default privileges granted to users after the installation because during the installation process, System Administration (SYSADM) privileges are granted by default to the users on the specific operating system.

• You should create new groups and passwords before creating the instances where the databases will reside.

• You should add only the required user(s) to the SYSADM group.

• To control the scope and authority of the actions that can be performed by user-defined functions (UDFs) and stored procedures, you should create a new user name in which fenced UDFs will execute differently than those of the DB2 instance or other database users.

• Because SYSADM privileges are the most powerful set of privileges available within DB2, you must check the following guidelines before creating any groups or user IDs:

  • Create a separate instance owner group per instance.

  • Create an instance owner user ID and define this user ID as a member of the instance owner group. For UNIX, you specify the instance owner when you create the instance.

  • Do not add new users to the instance owner group. (It is sometimes a good idea to have two or three, but not more than that.)

  • The user ID should always be associated with a password to enforce user authentication.

  • Do not use the instance owner user ID as the fenced ID.

For example, suppose you already created a user ID dsnow under a group called dntsadm (this is the DB2 instance owner ID and instance owner group), then later you decided to grant SYSADM authority to tphan. First, you must add the user tphan to the group dntsadm, then update the dbm cfg SYSADM_GROUP to dntsadm as needed (on UNIX, the database manager configuration for SYSADM_GROUP is automatically set to the instance owner group at instance creation time):

cat /etc/group | grep dntsadm

dntsadm:!:5000:dsnow

Now the system administrator just added tphan to the group dntsadm

cat /etc/group | grep dntsadm

dntsadm:!:5000:dsnow,tphan

db2 get dbm cfg | grep SYS

SYSADM group name                    (SYSADM_GROUP)    =
SYSCTRL group name                   (SYSCTRL_GROUP)   =
SYSMAINT group name                  (SYSMAINT_GROUP)  =
Priority of agents                   (AGENTPRI)        = SYSTEM

db2 update dbm cfg using SYSADM_GROUP dntsadm
db2 get dbm cfg | grep SYS

SYSADM group name                    (SYSADM_GROUP)   = DNTSADM
SYSCTRL group name                   (SYSCTRL_GROUP)  =
SYSMAINT group name                  (SYSMAINT_GROUP) =
Priority of agents                   (AGENTPRI)       = SYSTEM

Table 4.1 shows a list of group names.

Table 4.2 shows a list of user names.

User and Group Naming Rules

• Group names can contain up to 8 bytes.

• User IDs on UNIX-based systems can contain up to 8 characters.

• User names on Windows can contain up to 30 characters.

• When not using Client authentication, non-Windows 32-bit clients connecting to Windows NT, Windows 2000, Windows XP, and Windows .NET with user names longer than 8 characters are supported when the user name and password are specified explicitly.

• User IDs cannot:

  • Be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL reserved word.

  • Begin with IBM, SQL, or SYS.

  • Include accented characters.