记录的一部份权限管理相关的东东。
实例级权限:
SYSADM 最高管理权限,通常供DBA使用
SYSCTRL 最高系统控制权限,有SYSMAINT 和SYSMON 的全部权限
SYSMAINT 次级系统 控制权限
SYSMON 最小的实例级管理权限
Unix/Linux下的查看命令:
db2 get dbm cfg|grep "SYSADM"
db2 get dbm cfg|grep "SYSCTRL"
db2 get dbm cfg|grep "SYSMAINT"
db2 get dbm cfg|grep "SYSMON"
Windows下的查看命令:
db2 get dbm cfg |find /I "SYSADM"
db2 get dbm cfg |find /I "SYSCTRL"
db2 get dbm cfg |find /I "SYSMAINT"
db2 get dbm cfg |find /I " SYSMON "
如何授权:
DB2实例级的管理权限是和操作系统用户绑定的.所以需先创建操作系统用户.例子:假设有用户: db2ctlusr 组: db2ctlgrpLinux:groupadd db2ctlgrpuseradd -g db2ctlgrp -m -d /home/db2ctlusr db2ctlusrAIX:groupadd -g 996 db2ctlgrpmkuser id=1005 pgrp=db2ctlgrp home/home/db2ctlusr db2ctlusr
[root@O11g64 bin]# id db2ctlusruid=1053( db2ctlusr) gid=1021(db2ctlgrp) groups=1021( db2ctlgrp)
对比db2inst1:$ id db2inst1uid=110( db2inst1) gid=104(db2grp1) groups=1(staff),101( dasadm1)db2inst1 db2iadm1 DB2实例用户,用户组db2fenc1 db2fadm1 受防护的用户,用户组. 运行自定义函数和过程dasusr1 dasadm1 创建DB2管理服务器用户,用户组.
1. 参数中指定用户组:a. [root@O11g64 bin]# ./db2 get dbm cfg|grep "SYSCTRL"
SYSCTRL group name (SYSCTRL_GROUP) =
2.授与用户权限
b. [db2inst1@O11g64 ~]$ db2 update dbm cfg using SYSCTRL_GROUP db2ctlgrpDB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completedsuccessfully.SQL1362W One or more of the parameters submitted for immediate modificationwere not changed dynamically. Client changes will not be effective until thenext time the application is started or the TERMINATE command has been issued.Server changes will not be effective until the next DB2START command.
c. db2stopd. db2start
e. [db2inst1@O11g64 ~]$ db2 get dbm cfg|grep "SYSCTRL"SYSCTRL group name (SYSCTRL_GROUP) = DB2CTLGRPdb2 connect to xcldb
db2 "grant dbadm on database to user db2ctlusr"
db2 connect reset
3.收回权限
db2 connect to xcldbdb2 " revoke dbadm on database from user db2ctlusr "db2 connect reset
还有更细粒度的访问控制, 基于标签的访问控制(LBAC)
常见问题 :报 SQL5001N错误:原因是需要SYSADM权限才能更改数据库管理器配置文件使用下面命令查出组[db2inst1@O11g64 ~]$ db2 get dbm cfg|grep "SYSADM"SYSADM group name (SYSADM_GROUP) = DB2IADM1进入此组下的用户,再去执行更新权限[root@O11g64 bin]# id db2inst1uid=1051(db2inst1) gid=1010(db2iadm1) groups=1010(db2iadm1),1020(db2fadm1)
表授权命令:-- public是全部用户grant select on emp to group db2ctlgrp2
查询所有与权限相关的系统表:db2 " select substr(tabname,1,20) from syscat.tables where tabschema='SYSCAT' and tabname like '%AUTH' ";db2 " select * from DBAUTH"
角色create role myrolegrant select on table vacation to rle myrolegrant role myrole to user myusr1,user myus2revoke role myrole from user myusr1;
-- 用户可以授予或撤消其它人角色,这个到和Oracle一个样grant role myrole to user myusr1 with admin option
工作原理是在 行级,列级或行列同时设置 安全性标签,以便特定用户 是否可以访问一个表中的某些行或列.
$ id db2inst1
uid=110(db2inst1) gid=104(db2grp1) groups=1(staff),101(dasadm1)
$ db2 get dbm cfg
SYSADM group name (SYSADM_GROUP) = DB2GRP1
SYSCTRL group name (SYSCTRL_GROUP) =
SYSMAINT group name (SYSMAINT_GROUP) =
SYSMON group name (SYSMON_GROUP) =
p104
实例级权限:
SYSADM 最高管理权限,通常供DBA使用
SYSCTRL 最高系统控制权限,有SYSMAINT 和SYSMON 的全部权限
SYSMAINT 次级系统 控制权限
SYSMON 最小的实例级管理权限
Unix/Linux下的查看命令:
db2 get dbm cfg|grep "SYSADM"
db2 get dbm cfg|grep "SYSCTRL"
db2 get dbm cfg|grep "SYSMAINT"
db2 get dbm cfg|grep "SYSMON"
Windows下的查看命令:
db2 get dbm cfg |find /I "SYSADM"
db2 get dbm cfg |find /I "SYSCTRL"
db2 get dbm cfg |find /I "SYSMAINT"
db2 get dbm cfg |find /I " SYSMON "
如何授权:
DB2实例级的管理权限是和操作系统用户绑定的.所以需先创建操作系统用户.例子:假设有用户: db2ctlusr 组: db2ctlgrpLinux:groupadd db2ctlgrpuseradd -g db2ctlgrp -m -d /home/db2ctlusr db2ctlusrAIX:groupadd -g 996 db2ctlgrpmkuser id=1005 pgrp=db2ctlgrp home/home/db2ctlusr db2ctlusr
[root@O11g64 bin]# id db2ctlusruid=1053(db2ctlusr) gid=1021(db2ctlgrp) groups=1021(db2ctlgrp)
db2inst1 db2iadm1 DB2实例用户,用户组db2fenc1 db2fadm1 受防护的用户,用户组. 运行自定义函数和过程dasusr1 dasadm1 创建DB2管理服务器用户,用户组.
1. 参数中指定用户组:[root@O11g64 bin]# ./db2 get dbm cfg|grep "SYSCTRL"
SYSCTRL group name (SYSCTRL_GROUP) =
2.授与用户权限
[db2inst1@O11g64 ~]$ db2 update dbm cfg using SYSCTRL_GROUP db2ctlgrpDB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completedsuccessfully.SQL1362W One or more of the parameters submitted for immediate modificationwere not changed dynamically. Client changes will not be effective until thenext time the application is started or the TERMINATE command has been issued.Server changes will not be effective until the next DB2START command.
db2stopdb2start
[db2inst1@O11g64 ~]$ db2 get dbm cfg|grep "SYSCTRL"SYSCTRL group name (SYSCTRL_GROUP) = DB2CTLGRPdb2 connect to xcldb
db2 "grant dbadm on database to user db2ctlusr"
db2 connect reset
3.收回权限
db2 connect to xcldbdb2 " revoke dbadm on database from user db2ctlusr "db2 connect reset
常见问题 :报SQL5001N错误:原因是需要SYSADM权限才能更改数据库管理器配置文件使用下面命令查出组[db2inst1@O11g64 ~]$ db2 get dbm cfg|grep "SYSADM"SYSADM group name (SYSADM_GROUP) = DB2IADM1进入此组下的用户,再去执行更新权限[root@O11g64 bin]# id db2inst1uid=1051(db2inst1) gid=1010(db2iadm1) groups=1010(db2iadm1),1020(db2fadm1)
[root@O11g64 bin]# ./db2 update dbm cfg using SYSCTL_GROUP db2ctlgrpSQL0104N An unexpected token "SYSCTL_GROUP" was found following "USING".Expected tokens may include: "AGENTPRI". SQLSTATE=42601
其它的-- public是全部用户grant select on emp to group db2ctlgrp2
查询-- 所有与权限相关的系统表db2 " select substr(tabname,1,20) from syscat.tables where tabschema='SYSCAT' and tabname like '%AUTH' ";db2 " select * from DBAUTH"
角色create role myrolegrant select on table vacation to rle myrolegrant role myrole to user myusr1,user myus2revoke role myrole from user myusr1;
-- 用户可以授予或撤消其它人角色,这个到和Oracle一个样grant role myrole to user myusr1 with admin option
还有更细粒度的访问控制,基于标签的访问控制(LBAC)工作原理是在 行级,列级或行列同时设置 安全性标签,以便特定用户 是否可以访问一个表中的某些行或列.
这个好像没用上,不深究了.