Allowing user to access DB without Operation System level user id

Discussion:

(too old to reply)

Shashi Shekhar

2016-07-22 10:27:02 UTC

Hi Everyone,

I work as DB2 DBA on AIX.
We are getting a scenario very frequently where new developer are joining and they need access to Development DB , currently they have to go through AIX administrator to craete a new user id and assign them to a required group which has required permission.

But if we want to control that part from DB2 level where new Developer( with no OS level user id) doesn't have to go to OS guy, We can give permission . Do we have any such way?

Regards
Shashi

Peter H. Coffin

2016-07-22 20:20:20 UTC

Permalink

Post by Shashi Shekhar
Hi Everyone,
I work as DB2 DBA on AIX.
We are getting a scenario very frequently where new developer are
joining and they need access to Development DB , currently they have
to go through AIX administrator to craete a new user id and assign
them to a required group which has required permission.
But if we want to control that part from DB2 level where new
Developer( with no OS level user id) doesn't have to go to OS guy, We
can give permission . Do we have any such way?

I don't think you can do what you want directly. I remember that there
IS a way to support authentication, user access and group designation
through LDAP, but I'm pretty sure it depended on the host OS *also*
supporting authentication through LDAP. That is, the creation and
management of the user authetication on the host OS gets passed off to
an LDAP system instead of local user lists. I don't know the details
beyond that, though, so you're going to be on your own to figure out how
to do it, if your AIX support will even let it happen.

--
40. I will be neither chivalrous nor sporting. If I have an unstoppable
superweapon, I will use it as early and as often as possible instead
of keeping it in reserve.
--Peter Anspach's list of things to do as an Evil Overlord

Jeremy Rickard

2016-08-17 01:13:32 UTC

Permalink

This is a late reply, but since there were few responses I suggest you read the DB2 manuals on security for an overview of what's supported.

There are older solutions like trusting client security (which *might* just about be acceptable for development) and newer solutions such as kerberos, LDAP etc., plus an open security API in more recent versions of DB2.

I'm not sure about the possible restriction on LDAP mentioned by another poster, you may wish to check on specifics yourself. However, as a general comment, since the DB2 authentication API is open, ultimately anyone can implement any authentication protocol they like - even if a suitable pre-wrapped solution does not exist. You could, for example, implement authentication that only accepts a valid password when a particular light switch on/off combination has been selected in your office. A marriage of IOT and DB2 security, could be fun :-)