DB2 Security: Privilege(d) Insight

DB2 Security

Today's blog entry is about an old topic: Who I am, why I am and what I am (allowed) to do? Users and their privileges are at the core of database security. Information about them are stored in the IBM DB2 catalog (or IBM ashDB catalog) which can be queried. Thus, it is good to know your way around and being able to extract that information. Kind of as a reference for myself, here is a summary.

I already covered parts of this topic in the past:

• In 2012, I gave an introduction about where to find granted privileges in the catalog. It covers the catalog structure and links to key tables.
• In 2011, 2013 and recently, I discussed trusted contexts, surrogates and the session user as special form of granting privileges and switching identities. I started with a short explaination of trusted context. Next, this introduction covers the concept of surrogates and switching the userid via SET SESSIONUSER. As a follow-up, I looked into related catalog entries for trusted contexts and surrogates which are related to the task scheduler.
• Last year, I wrote about interesting administrative views and and table functions to list privileges. As an example I looked at implicit privileges through group membership.

What is important to know is how to extract the information from the catalog:

• The DB2 Knowledge Center provides a list of security-related views and routines.
• The same resource also has a discussion about gaining access to data through indirect means. It lists the catalog tables, but then many more options on how possibly data and related privileges can be accessed.