2.3 - db2 database security.odp
TRANSCRIPT
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 1/26
© 2010 IBM Corporation
Information Management
Information Management Ecosystem PartnershipsIBM Canada Lab
Summer/Fall 2010
DB2®
Security
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 2/26
2 © 2010 IBM Corporation
Information Management
Agenda
■ Authentication
■ Trusted Context
■ Authorization
■ Authorities
■ Privileges
■ Label-Based Access Control (LBAC
■ !oles
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 3/26
© 2010 IBM Corporation
Information Management
DB2 Security !"er"ie#
■ There are t"o main mechanisms (and subcategories "ithin#B$ that allo" %ou to im&lement a securit% &lan
■ Authentication
■ Authorization $ Aut%oritie&
$'ri"ilege&
sam&leTable
Authentication Authorization
Did (o%n enter t%ecorrect pa&&#ord)
Doe& (o%n %a"e aut%ori*ation toacce&& data in +&leta,le-)
CONNECT TO SAMPLE
USER John USING
password;
select * from sampletable
'AMPL #B
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 4/26
. © 2010 IBM Corporation
Information Management
Aut%entication
■ #etermining that %ou are "ho %ou sa%
%ou are
■ Can rel% on the o&erating s%stem)sauthentication mechanism
■ Can rel% on a se&arate &roduct
■ *here and ho" #B$ authenticates users $S $S3C4'5 $C6I35
$7B!S $etc888Client 'erver
A+T,TICATI. / '!0!
Did (o%n enter t%ecorrect pa&&#ord)
Client 'erver
A+T,TICATI. / CLIT
CONNECT TO SAMPLE
USER John USING
password;
Did (o%n enter t%ecorrect pa&&#ord)
CONNECT TO SAMPLE
USER John USING
password;
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 5/26
9 © 2010 IBM Corporation
Information Management
Configuration of Aut%entication on DB2 Ser"er
■ Authentication t%&e is defined in the #atabase Manager
configuration file (#BM C12
■ To configure ho" and "here #B$ authenticates users3 setthe authentication &arameter at the #B$ server
db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT"
db2 "GET DBM CFG"
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 6/26
: © 2010 IBM Corporation
Information Management
5ru&ted Conte;t
■ Provide a means "hereb% the end-user identit% in a three-tier
environment can be easil% and efficientl% &ro&agated to thedatabase server
■ Introduce the conce&t of a trusted context bet"een adatabase server and a s&ecific a&&lication tier
■ *h% not 4ust 5ee& one common user I#6 $6o&& of u&er identity for auditing purpo&e& $<ard to di&tingui&% action& needed ,y app "& needed ,y
u&er $Middle tier i& +o"er granted- pri"ilege&
$If ID i& compromi&ed= %ig% ri&> of &ecurity e;po&ure
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 7/26? © 2010 IBM Corporation
Information Management
5ru&ted Conte;t
■ Im&lementation Considerations
$@&er& need to ,e identified indi"idually ,ut do not #ante;pen&i"e ne# connection&
$<o# do #e identify a tru&ted &ource)
■ 'olution7 Create a 8Trusted Context9
$A tru&ted relation&%ip ,et#een t%e DB and t%e application S#itc% current u&er ID
Acuire additional pri"ilege& "ia role in%eritance
$elation&%ip identified ,y connection attri,ute& I' Addre&&= Domain 3ame= Aut%ori*ation ID= Data
ncryption u&ed
CREATE TRUSTED CONTEXT ctxtBASED UPON CONNECTION USING SYSTEM AUTHID smithATTRIBUTES (ADDRESS ‘192.168.2.27’)DEFAULT ROLE managerRole ENABLE
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 8/26 © 2010 IBM Corporation
Information Management
Aut%ori*ation
■ 0erifies if an authorization I# has sufficient &rivileges to
&erform the desired database o&eration $Aut%oritie&
'ro"ide a #ay to group pri"ilege& and to controlmaintenance and utility operation& S4SADM= DBADM=SCADM= S4SMAI35= S4SC56= E
$'ri"ilege& Allo# a certain action to ,e ta>en on a data,a&e o,Gect
S6C5= @'DA5= D65= etcE
6BAC pro"ide& a more granular approac%= granting
read/#rite acce&& to indi"idual ro#&/column&
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 9/26H © 2010 IBM Corporation
Information Management
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 10/2610 © 2010 IBM Corporation
Information Management
Aut%oritie&
■ Instance-level Authorities
$S4SADM= S4SC56= S4SMAI35= S4SM!3 $g S4SADM J control o"er all re&ource& created and
maintained ,y t%e Data,a&e Manager in&tance
■ #atabase-level Authorities
$DBADM= SCADM= SK6ADM= L6MADM= '6AI3= ACCSSC56= DA5AACCSS= etc
':'MAIT
':'CT!L
':'A#M
'CA#M
L.A#
#BA#M
Instance
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 11/26
11 © 2010 IBM Corporation
Information ManagementI B M D B 2 H
; <
' % s t e m A d m i n i s t r a t o r ( ' : ' A # M a u t h o r i t %
< i g % e & t l e " e l o f a d m i n i & t r a t i " e a u t % o r i t y a " a i l a , l e 8 ! n l y S 4 S A D M i & a l l o # e d t o p e r f o r m t % e & e t a & > &
- M i g r a t e a d a t a b a s e f r o m a p r e " i o u & " e r & i o n t o D B 2 1 e r H 8
- M o d i f % t h e & a r a m e t e r v a l u e s o f t h e # B M C 1 2 f i l e
a & & o c i a t e d # i t % a n i n & t a n c e J i n c l u d i n g & p e c i f y i n g # % i c %
g r o u p & % a " e S 4 S D B A = S 4 S C 5 0 6 = S 4 S M A I 3 5 = a n d
S 4 S M ! 3 a u t % o r i t y 8
- N i " e g r a n t F / 0 e " o > e # B A # M a n d ' C A # M a u t h o r i t % t o
i n d i " i d u a l u & e r & a n d / o r g r o u p & 8
; 8 N r a n t i n g S 4 S A D M a u t % o r i t y t o t % e g r o u p g r & ;
- d b 2 " U P D A T D ! # $ % U & ' ( % & ) & A D * % R + U P g r , 1 "
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 12/26
12 © 2010 IBM Corporation
Information Management
Sy&tem Admini&trator S4SADM Aut%ority
■ ,ighest level of administrative authorit% at the instance level
■ .nl% a user "ith ':'A#M authorit% can &erform thefollo"ing functions7
$@pgrade and re&tore a data,a&e $C%ange t%e data,a&e manager configuration file including
&pecifying t%e group& %a"ing S4SADM= S4SC56=S4SMAI35= or S4SM!3 aut%ority
■ #oes not im&licit get #BA#M authorit%3 so does notautomaticall% have access to data
■
'&ecified b% the s-sadm*gro, &arameter in the #BM C12
■ xam&le7 2ranting ':'A#M authorit% to the grou& =gr&=7
UPDAT D!" #$% U&'(% &)&AD"*%R+UP gr,
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 13/26
1 © 2010 IBM Corporation
Information ManagementI B M D B 2 H
; >
# a t a b a s e A d m i n i s t r a t o r ( # B A # M a u t h o r i t %
D B A D M i & a d a t a , a & e J l e " e l a u t % o r i t y a n d c a n , e
a & & i g n e d , y S 4 S A D M t o , o t % u & e r & a n d g r o u p & 8- g r a n t d b a d m o n d a t a b a s e t o . s e r . s e r 1
- g r a n t d b a d m o n d a t a b a s e t o g r o . , g r o . , 1
D B A D M u & e r & % a " e a l m o & t c o m p l e t e c o n t r o l o " e r t % ed a t a , a & e , u t c a n n o t p e r f o r m m a i n t e n a n c e o r
a d m i n i & t r a t i " e t a & > &
- d r o & d a t a b a s e - - d r o & ? c r e a t e t a b l e s & a c e
- b a c 5 u & ? r e s t o r e d a t a b a s e - - u & d a t e d b c f g f o r d a t a b a s e
C a n p e r f o r m
- c r e a t e ? d r o & t a b l e - - g r a n t ? r e v o 5 e ( a n % & r i v i l e g e
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 14/26
1. © 2010 IBM Corporation
Information Management
Data,a&e Admini&trator DBADM Aut%ority
■ Administrative authorit% over a single database
■ #oes not automaticall% included the abilit% to access data $ A,ility to create o,Gect& and i&&ue data,a&e command& $Create= alter= and drop nonJ&ecurity related data,a&e o,Gect& $ead log file&
$Create= acti"ate= and drop e"ent monitor& $Kuery t%e &tate of a ta,le &pace $@pdate log %i&tory file& $Kuie&ce a ta,le &pace $eorgani*e a ta,le
$Collect catalog &tati&tic& u&ing t%e @3S5A5S utility■ #BA#M authorit% can onl% be granted or revo5ed b% the
'CA#M
■ Can be granted to a user3 a grou&3 or a role
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 15/26
19 © 2010 IBM Corporation
Information Management
Security Admini&trator SCADM Aut%ority
■ Creates and manages securit% related database ob4ects over
a single database7 $Nrant and re"o>e data,a&e pri"ilege& and aut%oritie& $Create and drop
Security la,el component&
Security policie&
Security la,el& 5ru&ted conte;t&
Audit policie&
ole&
$;ecute audit routine&
■ ,as no inherent abilit% to access data stored in user tables
■ Can onl% be granted b% a user "ith 'CA#M authorit%
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 16/26
1: © 2010 IBM Corporation
Information ManagementI B M D B 2 H
$ ;
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 17/26
1? © 2010 IBM Corporation
Information Management
'ri"ilege&
■ 'chema Privilege
$ CA5I3 allo#& t%e u&er to create o,Gect& #it%in t%e &c%ema $ A65I3 allo#& t%e u&er to alter o,Gect& #it%in t%e &c%ema
$ D!'I3 allo#& t%e u&er to drop o,Gect& from #it%in t%e &c%ema
■ Tables&ace Privilege
$ @S allo#& t%e u&er to create ta,le& #it%in t%e ta,le&pace
■ Table and 0ie" Privilege
$ C!35!6 pro"ide& t%e u&er #it% all pri"ilege& for a ta,le or "ie# including t%ea,ility to drop it= and to grant and re"o>e indi"idual ta,le pri"ilege&
D65 allo#& t%e u&er to delete ro#& from a ta,le or "ie#8
I3S5 allo#& t%e u&er to in&ert a ro# into a ta,le or "ie#= and to run t%eIM'!5 utility8
S6C5 allo#& t%e u&er to retrie"e ro#& from a ta,le or "ie#= to create a "ie#on a ta,le= and to run t%e '!5 utility8
@'DA5 allo#& t%e u&er to c%ange an entry in a ta,le= a "ie#= or for one or more&pecific column& in a ta,le or "ie#
$ 5a,le !nly 'ri"ilege& A65 allo#& t%e u&er to modify on a ta,le
I3D allo#& t%e u&er to create an inde; on a ta,le
F3CS allo#& t%e u&er to create and drop a foreign >ey= &pecifying t%eta,le a& t%e parent in a relation&%ip
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 18/26
1 © 2010 IBM Corporation
Information Management
'ri"ilege&
■ Pac5age Privilege
$C!35!6 pro"ide& t%e u&er #it% t%e a,ility to re,ind= drop= ore;ecute a pac>age
BI3D allo#& t%e u&er to re,ind or ,ind t%at pac>age and to add ne#pac>age "er&ion& of t%e &ame pac>age name and creator
C@5 allo#& t%e u&er to e;ecute or run a pac>age
■ Index Privileges $C!35!6 allo#& t%e u&er to drop t%e inde;
■ 'e@uence Privilege
$@SAN allo#& t%e u&er to u&e 35 A6@ and 'I!@SA6@ e;pre&&ion& for t%e &euence
$A65 allo#& t%e u&er to perform ta&>& &uc% a& re&tarting t%e&euence or c%anging t%e increment for future &euence "alue&
■ !outine Privilege
$C@5 allo#& t%e u&er& to in"o>e a routine= create a functiont%at i& &ourced from t%at routine= and reference t%e routine in any
DD6 &tatement &uc% a& CA5 IL or CA5 5INN
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 19/26
1H © 2010 IBM Corporation
Information Management
Nranting 'ri"ilege&
■ x&licit
$ 'ri"ilege& can ,e e;plicitly gi"en to u&er& or group& "ia t%e NA35 and !7command&
■ Im&licit
$ DB2 may grant pri"ilege& automatically #%en certain command& are i&&ued
■ Indirect
$ 'ac>age& contain SK6 &tatement& in an e;ecuta,le format8 5%e u&er only reuire&C@5 pri"ilege to run t%em
$ ;ample pac>age1 contain& t%e follo#ing &tatic SK6 &tatement&
$ In t%i& ca&e a u&er #it% C@5 pri"ilege on pac>age1 i& indirectly grantedS6C5 and I3S5 pri"ilege on ta,le 5S5
select * from test
insert into test values (1,2,3)
db2 grant select on table db2inst1.person to user employee
db2 create table mytable User automatically gainsfull access to the table
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 20/26
20 © 2010 IBM Corporation
Information Management
Nranular 'ri"ilege&
■ *h% granular &rivileges6
$5%e need to re&trict acce&& to &pecific portion of data in ata,le
■ ,o" to im&lement6
$0ie"s1Simulate a ne# ta,le2Create a "ie# &u,&et of t%e data from t%e ,a&e ta,le
Aut%ori*e t%e u&er to acce&& t%e "ie#.e"o>e acce&& from t%e u&er to t%e ,a&e ta,le
$LBAC 6a,el Ba&ed Acce&& Control Can re&trict read/#rite acce&& to ro#& and/or column& of
a ta,le
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 21/26
21 © 2010 IBM Corporation
Information Management
Nranular 'ri"ilege& $ ie#&
■ Provides a different "a% of
loo5ing at data in one or moretables it is a nameds&ecification of a result table
■ Allo"s multi&le users to see
different &resentations of thesame data
■ ice for sim&le securit% &olic%3but com&licated to manage inlarge settings
6AS53AM L!7DI !FFIC
Smit% A0 5oronto
Crnic A0 ancou"er
(o%n&on B1 Calgary
Carl&on C2 !tta#a
'ogue B1 5oronto
ing B1 ictoria
Bari&ic A0 !tta#a
M'6!4I3F! IL
6AS53AM L!7DI !FFIC SA6A4 B!3@S
Smit% A0 5oronto :0000 2900
Crnic A0 ancou"er :9000 1900
(o%n&on B1 Calgary 99000 1000
Carl&on C2 !tta#a ?0000 2200
'ogue B1 5oronto 90000 200
ing B1 ictoria 92000 000
Bari&ic A0 !tta#a :?000 1200
M'6!4 5AB6
#RAT /'0 "P+)*'($+ A& &#T A&T(A"3 0+R4D'/3 +$$'# $R+" "P+)5
6AS53AM L!7DI !FFIC SA6A4 B!3@S
Smit% A0 5oronto :0000 2900
Crnic A0 ancou"er :9000 1900
(o%n&on B1 Calgary 99000 1000
Carl&on C2 !tta#a ?0000 2200
'ogue B1 5oronto 90000 200
ing B1 ictoria 92000 000
Bari&ic A0 !tta#a :?000 1200
M'6!4 5AB6
#RAT /'0 "P+)*'($+ A& &#T A&T(A"3 0+R4D'/3 +$$'# $R+" "P+)5
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 22/26
22 © 2010 IBM Corporation
Information Management
Nranular 'ri"ilege& $ 6a,el Ba&ed Acce&& Control 6BAC
■ Access Control at the table level via traditional &rivileges
$Doe& t%e u&er %old t%e reuired pri"ilege to perform t%ereue&ted operation on t%e ta,le)
■ Label Based Access Control $Set& &ecurity la,el& at t%e ro# le"el= column le"el or ,ot%
■ ,o" does LBAC "or56 $@&er& and !,Gect& ro#&/column& are a&&igned la,el& t%at
are later compared to aut%ori*e acce&&
mployee < Manager
#PT;
#PT$
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 23/26
2 © 2010 IBM Corporation
Information Management
ole&
■ #atabase ob4ect that grou&s together one or more &rivileges and
can be assigned to users3 grou&s3 P+BLIC or to other roles via a2!AT statement
■ Benefits
$SCADM& control acce&& at a le"el of a,&traction t%at i& clo&e tot%e &tructure of t%e organi*ation8 g8 Manager= <= mployee
$5%e a&&ignment and maintenance of pri"ilege& i& &implified8 @&er role& c%ange e"o>e old role and grant ne# role $ not
&pecific pri"ilege&
ole %a& more re&pon&i,ility All u&er& in%erit t%e ne# pri"ilege&
Dayna inherits all privileges and labels of the
role ‘manager
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 24/26
2. © 2010 IBM Corporation
Information Management
ole& $ Implementation
The Basics
■ 'te& ; D Create !ole
■ 'te& $ D Assign Privileges toa !ole
■ 'te& > D 2rant !ole to +sers
■ 'te& E D !evo5e !ole asecessar%
%RA(T R+ D/+PR T+U&R !+!3 U&R A'#
%RA(T &#T +( TA!&R/R T+ R+D/+PR
#RAT R+ D/+PR
R/+4 R+ D/+PR$R+" U&R !+!
xtra 1eatures
■ !ole Admin .&tion $ Allo#& t%e &pecified u&er to
grant or re"o>e t%e role to orfrom ot%er&
■ !ole ,ierarchies $ A role %ierarc%y i& formed
#%en one role i& grantedmem,er&%ip in anot%errole8
%RA(T R+ D/+PR T+ U&R!+! 0'T AD"'( +PT'+(
#RAT R+ D+#T+R#RAT R+ &P#'A'&T
#RAT R+ &UR%+(
%RA(T R+ D+#T+R T+ R+&P#'A'&T
%RA(T R+ &P#'A'&T T+
R+ &UR%+(
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 25/26
29 © 2010 IBM Corporation
Information Management
Summary
■ Authentication
$erifie& t%e u&er are #%o t%ey &ay t%ey are u&ing t%eunderlying operating &y&tem or ot%er &ecurity protocol&
■ Trusted Context $Sol"e& t%e pro,lem& a&&ociated #it% lo&& of u&er identity in a
Jtiered en"ironment■ Authorization
$Control& t%e acce&& to data,a&e o,Gect&
■ 2ranular Privileges
$ Acce&& to &pecific portion of data in a ta,le can ,e re&trictedu&ing "ie#& and 6BAC
■ !oles $Allo#& ea&y management of pri"ilege&
7/23/2019 2.3 - DB2 Database Security.odp
http://slidepdf.com/reader/full/23-db2-database-securityodp 26/26
© 2010 IBM Corporation
Information Management
Information Management Ecosystem PartnershipsIBM Canada Lab
Summer/Fall 2010Questions?
E-mail: [email protected]: “DB2 Academic Wo!sho"#