Hi, I 'm new to DB2 (from Oracle background) and have some fundamental
question.

In Oracle, you create user account "within the database" to let user to
logon to the database. There is no tie between the unix account (or other
operating system) and the oracle user account - you can logon to the server
machine dose not mean you can logon to the database implicitly.

However, I notice that there is no account creation in DB2 v8 UDB server.
1. So am I correct to say that everyone has an valid Unix (or any O/S)
account in the DB2 server machine will be able to connect to database
(authentication=SERVER)?
2. What if I only want few unix user be able to logon to the database to do
their job ? In other word, how do I restrict the implicit authentication
(based on the O/S) to only few user ?

Looks like my concept with oracle does not apply to DB2. Hope someone can
help. Thanks
Tom

DB2 does not have internal authentication ... authentication is provided
by the OS. But authorization IS provided by DB2 (as it is with other
rdmses). So once you are authenticated by the OS and by DB2, you must
use the internal authorization facilities of DB2 to grant access for
that user to objects, packages, etc.

Answers below.

cmc wrote:
> Hi, I 'm new to DB2 (from Oracle background) and have some fundamental
> question.
>
> In Oracle, you create user account "within the database" to let user to
> logon to the database. There is no tie between the unix account (or other
> operating system) and the oracle user account - you can logon to the server
> machine dose not mean you can logon to the database implicitly.
>
> However, I notice that there is no account creation in DB2 v8 UDB server.
> 1. So am I correct to say that everyone has an valid Unix (or any O/S)
> account in the DB2 server machine will be able to connect to database
> (authentication=SERVER)?

No. You must either have a priviledge to connect.

> 2. What if I only want few unix user be able to logon to the database to do
> their job ? In other word, how do I restrict the implicit authentication
> (based on the O/S) to only few user ?

There is no implicit authorization for "normal" users. If they are
sysadmin, that is a different story. But for just plain old users, they
must be given the right priviledge in DB2. See the GRANT command.
>
> Looks like my concept with oracle does not apply to DB2. Hope someone can
> help. Thanks
> Tom
>
>
Larry Edelstein

Larry wrote:

> DB2 does not have internal authentication ... authentication is provided
> by the OS. But authorization IS provided by DB2 (as it is with other
> rdmses). So once you are authenticated by the OS and by DB2, you must
> use the internal authorization facilities of DB2 to grant access for
> that user to objects, packages, etc.

The basic, underlying idea in DB2 is to not have two instances that are
responsible for authentication (OS and DBMS). To further support that
approach you can implement your own user exit that does the authentication
in whichever way you like.

--
Knut Stolze
Information Integration
IBM Germany / University of Jena

I assume the first point refer to central User Authentication management.

But not quite understand the second point. Can you further elaborate ?

Do you mean application developer can use USER Exit to call the
authentication API to the OS (or the API facility like LDAP) ?

Thanks
Tom

"Knut Stolze" <stolze@de.ibm.com> wrote in message
news:d3vnr3$ica$1@fsuj29.rz.uni-jena.de...
> Larry wrote:
>
> > DB2 does not have internal authentication ... authentication is provided
> > by the OS. But authorization IS provided by DB2 (as it is with other
> > rdmses). So once you are authenticated by the OS and by DB2, you must
> > use the internal authorization facilities of DB2 to grant access for
> > that user to objects, packages, etc.
>
> The basic, underlying idea in DB2 is to not have two instances that are
> responsible for authentication (OS and DBMS). To further support that
> approach you can implement your own user exit that does the authentication
> in whichever way you like.
>
> --
> Knut Stolze
> Information Integration
> IBM Germany / University of Jena

cmc wrote:
> I assume the first point refer to central User Authentication management.
>
> But not quite understand the second point. Can you further elaborate ?
>
> Do you mean application developer can use USER Exit to call the
> authentication API to the OS (or the API facility like LDAP) ?
>
> Thanks
> Tom
>
> "Knut Stolze" <stolze@de.ibm.com> wrote in message
> news:d3vnr3$ica$1@fsuj29.rz.uni-jena.de...
>
>>Larry wrote:
>>
>>
>>>DB2 does not have internal authentication ... authentication is provided
>>>by the OS. But authorization IS provided by DB2 (as it is with other
>>>rdmses). So once you are authenticated by the OS and by DB2, you must
>>>use the internal authorization facilities of DB2 to grant access for
>>>that user to objects, packages, etc.
>>
>>The basic, underlying idea in DB2 is to not have two instances that are
>>responsible for authentication (OS and DBMS). To further support that
>>approach you can implement your own user exit that does the authentication
>>in whichever way you like.
>>
>>--
>>Knut Stolze
>>Information Integration
>>IBM Germany / University of Jena
>
>
>
Not the app-developer, but the DBA can set it up.
Search for "Security Plugin" in Information Center

Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab