Selecting User Names and Group Names for DB2 Installation

Security issues are important to the DB2 Administrator from the moment the product is installed. During the installation process, DB2 requires a user name, a group name, and a password.

Recommendations

To control the proliferation of user names and group names that are able to modify the instance environment, you should change the default privileges granted to users after the installation because during the installation process, System Administration (SYSADM) privileges are granted by default to the users on the specific operating system.

  • You should create new groups and passwords before creating the instances where the databases will reside.

  • You should add only the required user(s) to the SYSADM group.

  • To control the scope and authority of the actions that can be performed by user-defined functions (UDFs) and stored procedures, you should create a new user name in which fenced UDFs will execute differently than those of the DB2 instance or other database users.

  • Because SYSADM privileges are the most powerful set of privileges available within DB2, you must check the following guidelines before creating any groups or user IDs:

    • Create a separate instance owner group per instance.

    • Create an instance owner user ID and define this user ID as a member of the instance owner group. For UNIX, you specify the instance owner when you create the instance.

    • Do not add new users to the instance owner group. (It is sometimes a good idea to have two or three, but not more than that.)

    • The user ID should always be associated with a password to enforce user authentication.

    • Do not use the instance owner user ID as the fenced ID.

NOTE

On UNIX, user names must be in lower case.


For example, suppose you already created a user ID dsnow under a group called dntsadm (this is the DB2 instance owner ID and instance owner group), then later you decided to grant SYSADM authority to tphan. First, you must add the user tphan to the group dntsadm, then update the dbm cfg SYSADM_GROUP to dntsadm as needed (on UNIX, the database manager configuration for SYSADM_GROUP is automatically set to the instance owner group at instance creation time):

cat /etc/group | grep dntsadm

dntsadm:!:5000:dsnow

Now the system administrator just added tphan to the group dntsadm

cat /etc/group | grep dntsadm

dntsadm:!:5000:dsnow,tphan

db2 get dbm cfg | grep SYS

SYSADM group name                    (SYSADM_GROUP)    =
SYSCTRL group name                   (SYSCTRL_GROUP)   =
SYSMAINT group name                  (SYSMAINT_GROUP)  =
Priority of agents                   (AGENTPRI)        = SYSTEM

db2 update dbm cfg using SYSADM_GROUP dntsadm
db2 get dbm cfg | grep SYS

SYSADM group name                    (SYSADM_GROUP)   = DNTSADM
SYSCTRL group name                   (SYSCTRL_GROUP)  =
SYSMAINT group name                  (SYSMAINT_GROUP) =
Priority of agents                   (AGENTPRI)       = SYSTEM

Table 4.1 shows a list of group names.

Table 4.1. Group Names Defined

Group Name

GID

Description

dntsadm

5000

DB2 Instance Owner Group

dntsas

5100

DB2 Administration Server Group

dntfadm

5200

DB2 Fence Administration Group

dntsdba

5300

DB2 DBA Group

dntabc

5400

DB2 User Group for Application abc

dntxyz

5500

DB2 User Group for Application xyz

Table 4.2 shows a list of user names.

Table 4.2. User Names Defined

User Name

UID

Default Shell

Home Directory

Group Primary

Group Secondary

dsnow

8000

/usr/bin/ksh

/dbhome/dsnow

dntsadm

dntsas, dntfadm

tphan

8001

/usr/bin/ksh

/dbhome/tphan

dntsadm

 

dntas

8100

/usr/bin/ksh

/dbhome/dntas

dntsas

 

dntudf

8200

/usr/bin/ksh

/dbhome/dntudf

dntfadm

 

dntdba

8300

/usr/bin/ksh

/dbhome/dntdba

dntsdba

 

abcuser1

8400

/usr/bin/ksh

/apphome/abcuser1

dntabc

 

xyzuser1

8500

/usr/bin/ksh

/apphome/xyzuser1

dntxyz

 

User and Group Naming Rules

  • Group names can contain up to 8 bytes.

  • User IDs on UNIX-based systems can contain up to 8 characters.

  • User names on Windows can contain up to 30 characters.

  • When not using Client authentication, non-Windows 32-bit clients connecting to Windows NT, Windows 2000, Windows XP, and Windows .NET with user names longer than 8 characters are supported when the user name and password are specified explicitly.

  • User IDs cannot:

    • Be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL reserved word.

    • Begin with IBM, SQL, or SYS.

    • Include accented characters.

NOTE

Windows .NET Server is also known as Windows 2003 Server.




     
    ASPTreeView.com
     
    Evaluation has СѕµЛЗОБМexpired.
    Info...