IBM DB2 9

© 2008 IBM Corporation

Vikas ManoriaIT Specialist – IBM Academic Initiativevmanoria@in.ibm.com

Section -2) Security

IBM DB2 9

2

Section 2 - Security (11%)Section 2 - Security (11%)

Knowledge of restricting data accessKnowledge of restricting data accessKnowledge of different authorities and Knowledge of different authorities and

privileges availableprivileges availableKnowledge of encryption options available Knowledge of encryption options available

(data and network)(data and network)Given a DCL SQL statement, ability to identify Given a DCL SQL statement, ability to identify

results (GRANT, REVOKE, CONNECT results (GRANT, REVOKE, CONNECT statements)statements)

IBM DB2 9

3

Aspects of database security

A database security plan should define:

Who is allowed access to the instance and/or database

Where and how a user's password is verified What authority level a user is granted What commands a user is allowed to run What data a user is allowed to read and/or alter What database objects a user is allowed to create, alter, and/or drop

IBM DB2 9

4

Security - Authentication , Authorities and Privileges

DB2 Authentication controls the following aspects :- Who is allowed access to the instance and/or DB

- Where and how a user's password will be verified

DB2 authorities control the following aspects of a database security plan:- What authority level a user is granted

- What commands a user is allowed to run

- What data a user is allowed to read and/or alter

- What database objects a user is allowed to create, alter and/or drop

A privilege is the right to create or access a database object. - Database-level privileges — span all objects within the database

- Object-level privileges — associated with a specific object

IBM DB2 9

5

Basic Client-Gateway-Host configuration

DB2 server orDB2 Connect Server

(Gateway)

Windows

AIX

Linux

DB2 on the host

DB2 clients

IBM DB2 9

6

Security - Authentication Verify user's identity DB2 will pass all user IDs and passwords to the operating

system or external security facility for verification. Set the authentication parameter at both the DB2 server and

client to control where authentication takes place- At the DB2 server, authentication type is defined in the

database manager configuration file (DBM CFG) db2 "GET DBM CFG" db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT"

- At the DB2 client, authentication type is specified when cataloging a database db2 "CATALOG DATABASE sample AT NODE mynode AUTHENTICATION SERVER"

IBM DB2 9

7

Authentication TypesWhere Does Authentication Take Place?

1. SERVER

2. SERVER_ENCRYPT

3. CLIENT

4. KERBEROS

5. KRB_SERVER_ENCRYPT

6. DATA_ENCRYPT

7. DATA_ENCRYPT_CMP

8. GSSPLUGIN

9. GSS_SERVER_ENCRYPT

Authentication occurs at the server workstation, using the security facility provided by the server's operating system. By default, this is the authentication type used when an instance is first created.

Same as SERVER User Credentials encrypted at the client workstation before it is sent to the server workstation for validation.

Authentication occurs at the client workstation, using the security facility provided by the client's operating system.

Authentication occurs at the server workstation, using a security facility that supports the Kerberos security protocol. Supported only on clients and servers that are using the Windows 2000, Windows XP, or Windows .NET operating system.

Authentication occurs at the server workstation, using either the KERBEROS or the SERVER_ENCRYPT authentication method.

if the Kerberos authentication service is unavailable, the server acts as if the SERVER_ENCRYPT was specified

Same as SERVER_ENCRYPT authentication method.

In addition, all user data is encrypted before it is passed from client to server and from server to client.

Same as DATA_ENCRYPT authentication method.

In addition, this authentication type provides compatibility for down-level products that do not support the DATA_ENCRYPT authentication type.

Authentication occurs at the server workstation, using a Generic Security Service Application Program Interface (GSS-API) plug-in.

If the client's authentication type is not specified, the server returns a list of server-supported plug-ins to the client. If not supports any one then use KERBEROS method

Authentication occurs at the server workstation, using either the GSSPLUGIN or the SERVER_ENCRYPT authentication method.

If the client does not support any of the plug-ins found in the server-supported plug-in list, then client tries KERBEROS method. If its do not support then it use SERVER_ENCRYPT method.

IBM DB2 9

8

Trusted Clients versus Untrusted Clients Clients that use an operating system that contains a tightly

integrated security facility (for example, Windows NT, Windows 2000, all supported versions of UNIX, MVS, OS/390, VM, VSE, and AS/400) are classified as trusted clients.

Clients that use an operating system that does not provide an integrated security facility (for example, Windows 95, Windows 98, and Windows Millennium Edition) are treated as untrusted clients.

Whenever an untrusted client attempts to access an instance or a database, user authentication always takes place at the

server. If trust_allclnts configuration parameter is set to DRDAONLY, only MVS, OS/390, VM, VSE, and OS/400 clients will be treated as trusted clients.

IBM DB2 9

9

Authorities

IBM DB2 9

10

System Administrator (SYSADM) authority

Highest level of administrative authority available.Only SYSADM is allowed to perform these tasks:

- Migrate a database from a previous version to DB2 Ver 9.- Modify the parameter values of the DBM CFG file

associated with an instance-including specifying which groups have SYSDBA, SYSCTRL, SYSMAINT, and SYSMON authority.

- Give (grant) / Revoke DBADM and SECADM authority to individual users and/or groups.

Ex. Granting SYSADM authority to the group grp1:- db2 "UPDATE DBM CFG USING SYSADM_GROUP grp1"

IBM DB2 9

11

System Control (SYSCTRL) authority SYSCTRL users can perform all administrative and maintenance commands within the instance.

Some tasks that only SYSCTRL & SYSADM can do- Force users off the system.- Create or destroy (drop) a database.- Create, alter, or drop a table space.

Cannot access any data within the databases unless they are granted the privileges.

A SYSADM user can assign SYSCTRL to a group by:db2 "UPDATE DBM CFG USING SYSCTRL_GROUP grp2"

IBM DB2 9

12

System Maintenance (SYSMAINT) authority SYSMAINT users can issue a subset of commands allowed for

SYSCTRL authority — tasks that are considered “maintenance” related like::- db2start/db2stop- db2 backup/restore/rollforward database- db2 runstats (against any table)- db2 update db cfg for database dbname

Users with SYSMAINT cannot create or drop databases or tablespaces.

Cannot access any data within the databases. A SYSADM user can assign SYSMAINT to a group by:

db2 "UPDATE DBM CFG USING SYSMAINT_GROUP grp3"

IBM DB2 9

13

Database Administrator (DBADM) authority DBADM is a database-level authority and can be assigned by SYSADM to both users and groups.- grant dbadm on database to user user1- grant dbadm on database to group group1

DBADM users have almost complete control over the database but cannot perform maintenance or administrative tasks- drop database -- drop/create tablespace- backup/restore database -- update db cfg for database

Can perform:- create/drop table -- grant/revoke (any privilege)

IBM DB2 9

14

Load (LOAD) authority

LOAD authority is also considered a database-level authority, and can therefore be granted to both users and groups.

LOAD authority allows users - To issue the LOAD command against a table. The LOAD

command is typically used as a faster alternative to insert or import commands when populating a table with large amounts of data.

- Specific privileges on the table may also be required

Users with either SYSADM or DBADM authority can grant or revoke LOAD authority to users or groups.

IBM DB2 9

15

IBM DB2 9

16

System Monitoring (SYSMON) authority allow to take system monitor snapshots for a instance and/or for one or more databases that fall under that instance's control.

It is designed to allow special users to monitor the performance of a database that contains sensitive data that they most likely do not have the right to view or modify.

Security Administrator (SECADM) authority allow special users to configure various label-based access control (LBAC) elements (rules, labels and policies) to restrict access to one or more tables that contain data to which they most likely do not have access themselves.

No other authority provides a user with these abilities, including SYSADM

IBM DB2 9

17

IBM DB2 9

18

Privileges

IBM DB2 9

19

Database Privileges CONNECT: Users can connect to the database.

QUIESCE_CONNECT: Users can access a database while it is in a quiesced state.

IMPLICIT_SCHEMA: Users can implicitly create schemas within the database without using the CREATE SCHEMA command.

CREATETAB: Users can create tables within the database.

BINDADD: Users can create packages in the database using the BIND command.

CREATE_EXTERNAL_ROUTINE: Users can create a procedure for use by applications and other users of the database.

CREATE_NOT_FENCED: Users can create unfenced (UDFs). LOAD: Users can load data into a table

IBM DB2 9

20

USE allows a user to create tables and indexes in the table space. The owner of a table space automatically receives USE privilege for that table space.

The USE privilege cannot be used for SYSCATSPACE table space or any temporary table space that might exist.

CREATEIN allows users to create objects within the schema.ALTERIN allows users to modify definitions of objects within the schema.DROPIN Allows users to drop objects within the schema.

IBM DB2 9

21

Privileges - Tables & Views

IBM DB2 9

22

Privileges on other objects

IBM DB2 9

23

IBM DB2 9

24

Some Examples -CONNECT TO sample USER Jane USING passwordGRANT SELECT ON TABLE inventory TO john_doe WITH GRANT OPTION

GRANT SELECT, INSERT, UPDATE, DELETE ON deptview TO USER user1, USER user2

GRANT REFERENCES (empid) ON TABLE employee TO USER user1, GROUP group1

GRANT ALL ON TABLE payroll.employee TO PUBLIC

GRANT UPDATE (address, home_phone) ON TABLE emp_info TO PUBLIC

REVOKE ALL ON TABLE department FROM user1, PUBLIC [Inaccessible views]

IBM DB2 9

25

Label-Based Access Control (LBAC)

Provides DBA the ability to restrict read / write privileges on the row or column level of a table.

LBAC is set up by the security administrator by creating Security Policies. Each table may only be subscribed to one security policy, but the system may have as many security policies as you'd like.

To set up LBAC security to enable business rules:- Define the security policies and labels and grant the security

labels to the users- Modify of the table including the security label column and

attaching the security policy to it

IBM DB2 9

26

LBAC query No LBAC LBAC ID SALARY

255 60000

100 50000

50 70000

50 45000

60 30000

250 56000

102 82000

100 54000

75 33000

253 46000

90 83000

200 78000

105 45000

SELECT * FROM EMP WHERE SALARY >= 50000

User Level = 100

Users with user level 100 can view the rows with ID <= 100 and salary >= 50000 (indicated in green)

With no LBAC user level imposed, users can view rows that meet the salary >= 50000 qualifier (shown in red)

IBM DB2 9

27

Example implementation of LBAC

Steps overview:

1. Define the security policies and labels a. Define the security label component

b. Define the security policy

c. Define the security labels

2. Create the protected SALES table by including a column that holds the security label and attaching the security policy to the table.

3. Grant the appropriate security labels to users.

Requires SECADM authority to execute commands for creating security policies and labels.

IBM DB2 9

28

Step 1. Create the security label component

CREATE SECURITY LABEL COMPONENT J_DEPT TREE (- 'HR_EXECUTIVE' ROOT,- 'MAN_D11_E21' UNDER 'HR_EXECUTIVE'- 'A00' UNDER 'HR_EXECUTIVE',- 'B01' UNDER 'HR_EXECUTIVE',- 'C01' UNDER 'HR_EXECUTIVE',- 'D11' UNDER 'MAN_D11_E21', - 'D21' UNDER 'HR_EXECUTIVE',- 'E01' UNDER 'HR_EXECUTIVE',- 'E11' UNDER 'HR_EXECUTIVE',- 'E21' UNDER 'MAN_D11_E21‘ )

IBM DB2 9

29

Step 2 & 3. Define the security policy and labels

CREATE SECURITY POLICY J_DEPT_POLICY

COMPONENTS J_DEPT WITH DB2LBACRULES

RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL

CREATE SECURITY LABEL J_DEPT_POLICY.EXECUTIVE

COMPONENT J_DEPT 'HR_EXECUTIVE‘

CREATE SECURITY LABEL J_DEPT_POLICY.MANAGE_D11_E21

COMPONENT J_DEPT 'MAN_D11_E21‘

CREATE SECURITY LABEL J_DEPT_POLICY.A00

COMPONENT J_DEPT 'A00'

IBM DB2 9

30

Step 4. Grant rights based on labels

db2 grant security label J_DEPT_POLICY.A00 to user Frank for read access

db2 grant security label J_DEPT_POLICY.MANAGE_D11_E21 to user Joe for all access

db2 grant security label J_DEPT_POLICY.EXECUTIVE to user Jane for all access

IBM DB2 9

31

Step 5. Modify the EMP table

When modifying the EMP table, you must create an extra column to store the security label. This is of type "DB2SECURITYLABEL".

ALTER TABLE EMP

ADD COLUMN DEPT_TAG DB2SECURITYLABEL

ADD SECURITY POLICY J_DEPT_POLICY After alter with a user defined on the EXECUTIVE level, all the

security tags will have been added as EXECUTIVE. To change this, you need to update

update emp set DEPT_TAG = (SECLABEL_BY_NAME('J_DEPT_POLICY','E11')) where WORKDEPT='E11'

IBM DB2 9

32

IBM DB2 9

33

1) Which of the following is NOT a valid method of authentication that can be used by DB2 9?

A. SERVERB. SERVER_ENCRYPTC. CLIENTD. DCS

IBM DB2 9

34

2)  In a client-server environment, which two of the following can be used to verify passwords?

A. System CatalogB. User ID/password fileC. Client Operating SystemD. Communications layerE. Application Server

IBM DB2 9

35

3 ) A table named DEPARTMENT has the following columns:- DEPT_ID - DEPT_NAME - MANAGER - AVG_SALARY

Which of the following is the best way to prevent most users from viewing AVG_SALARY data?

A. Encrypt the table's data B. Create a view that does not contain the AVG_SALARY

column C. Revoke SELECT access for the AVG_SALARY column

from users who should not see AVG_SALARY data D. Store AVG_SALARY data in a separate table and grant

SELECT privilege for that table to the appropriate users

IBM DB2 9

36

4)  Assuming USER1 has no authorities or privileges, which of the following will allow USER1 to create a view named VIEW1 that references two tables named TAB1 and TAB2?

A. CREATEIN privilege on the databaseB. REFERENCES privilege on TAB1 and TAB2

C. CREATE_TAB privilege on the databaseD. SELECT privilege on TAB1 and TAB2

IBM DB2 9

37

5.  On which two of the following database objects may the SELECT privilege be controlled?

A. SequenceB. NicknameC. SchemaD. ViewE. Index

IBM DB2 9

38

6) After the following SQL statement is executed:

GRANT ALL PRIVILEGES ON TABLE employee TO USER user1 Assuming user USER1 has no other authorities or privileges, which of the following actions is USER1 allowed to perform?

A. Drop an index on the EMPLOYEE tableB. Grant all privileges on the EMPLOYEE table to other users

C. Alter the table definitionD. Drop the EMPLOYEE table

IBM DB2 9

39

7)  A user wishing to invoke an SQL stored procedure that queries a table must have which of the following privileges?

A. CALL privilege on the procedure; SELECT privilege on the table

B. CALL privilege on the procedure; REFERENCES privilege on the table

C. EXECUTE privilege on the procedure; SELECT privilege on the table

D. EXECUTE privilege on the procedure; REFERENCES privilege on the table

IBM DB2 9

40

8) User USER1 wants to utilize an alias to remove rows from a table. Assuming USER1 has no authorities or privileges, which of the following privileges are needed?

A. DELETE privilege on the tableB. DELETE privilege on the aliasC. DELETE privilege on the alias; REFERENCES privilege on the table

D. REFERENCES privilege on the alias; DELETE privilege on the table

IBM DB2 9

41

9)  Which of the following statements allows user USER1 to take the ability to create packages in a database named SAMPLE away from user USER2?

A. REVOKE CONNECT ON DATABASE FROM user2

B. REVOKE CREATETAB ON DATABASE FROM user2

C. REVOKE BIND ON DATABASE FROM user2D. REVOKE BINDADD ON DATABASE FROM user2

IBM DB2 9

42

10)  Which of the following will allow user USER1 to change the comment associated with a table named TABLE1?

A. GRANT UPDATE ON TABLE table1 TO user1

B. GRANT CONTROL ON TABLE table1 TO user1

C. GRANT ALTER ON TABLE table1 TO user1

D. GRANT REFERENCES ON TABLE table1 TO user1

IBM DB2 9

43

11)  Which of the following will provide user USER1 and all members of the group GROUP1 with the ability to perform DML, but no other operations on table TABLE1?

A. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE table1 TO user1 AND group1

B. GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE table1 TO USER user1, GROUP group1

C. GRANT ALL PRIVILEGES EXCEPT ALTER, INDEX, REFERENCES ON TABLE table1 TO USER user1, GROUP group1

D. GRANT CONTROL ON TABLE table1 TO user1 AND group1

IBM DB2 9

44

12) USER1 is the owner of TABLE1. Assuming USER1 only holds privileges for TABLE1, which of the following is the best way to remove all privileges USER1 holds?

A. REVOKE CONTROL ON table1 FROM user1B. REVOKE ALL PRIVILEGES ON table1 FROM user1

C. REVOKE CONTROL ON table1 FROM user1; REVOKE ALL PRIVILEGES ON table1 FROM user1;

D. REVOKE CONTROL, ALL PRIVILEGES ON table1 FROM user1

IBM DB2 9

45

Japanese

Hebrew

Thank You

English

MerciFrench

Russian

DankeGerman

GrazieItalian

GraciasSpanish

Obrigado Portuguese

Arabic

Simplified Chinese

Traditional Chinese

Tamil

Thai

Korean

A. Encrypt the table's data