|
Problem IC64176
|
Status: Closed |
ON WINDOWS TOOLS CATLOG DB CREATED DURING INSTALL (BY LOCALSYSTEM) CAN NOT BE ACCESSED BY NORMAL USERS |
| product: |
DB2 FOR LUW / DB2FORLUW / 970 - DB2 |
| Problem description: |
When DB2 is installed on a Windows system, all the configuration
tasks are executed under the LocalSystem account, including
creating the Tools Catalog db if the user selects it. Thus, for
a database created during the install, its creating user account
is always "SYSTEM" on windows platforms.
Since DB2 authorization model has been enhanced to allow
separation of duties in V9.7, a user who holds SYSADM authority
no longer has implicit DBADM authority, so a SYSADM user has
limited capabilities compared to those available in Version 9.5.
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.i
bm.db2.luw.wn.doc/doc/c0054241.html
Only the creator of the database has the DBADM, DATAACCESS,
ACCESSCTRL, SECADM authorities.Since LocalSystem is not a normal
user account that you can log in with, so the user is stuck when
he/she tries to work on the db that was created during the
install. |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* ALL *
****************************************************************
* PROBLEM DESCRIPTION: *
* When DB2 is installed on a Windows system, all the *
* configurationtasks are executed under the LocalSystem *
* account, *
* including creating the Tools Catalog db if the user *
* selects *
* it. Thus, for a database created during the install, its *
* creating user accountis always "SYSTEM" on windows *
* platforms. *
* *
* Since DB2 authorization model has been *
* enhanced to allow separation of duties in V9.7, a user *
* who holds SYSADM authority no longer has implicit DBADM *
* authority, so a SYSADM user has limited capabilities *
* compared *
* to those available in Version 9.5. *
* *
* http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com
* bm.db2.luw.wn.doc/doc/c0054241.html *
* *
* Only the creator of the database has the DBADM, DATAACCESS, *
* *
* ACCESSCTRL, SECADM authorities.Since LocalSystem is not a *
* normaluser account that you can log in with, so the user is *
* stuck whenhe/she tries to work on the db that was created *
* during *
* the install. *
****************************************************************
* RECOMMENDATION: *
* (1). Drop Tools Catalog db that was created during install, *
* and recreate it. The creator will have DBADM and SECADM *
* access to this database. *
* *
* (2). If you do not want to recreate the db, follow the steps *
* provided below to grant SECADM to a specified user after the *
* install. *
* *
* *
* What the customer needs to do is to start a command prompt *
* window as LocalSystem and issue the grant from the window to *
* the id of their choosing. *
* *
* *
* 1). from a command window, issue 'at' command with a future *
* time (say 1 min later), for example, *
* *
* *
* *
* C:\Documents and Settings\ at 10:35 /interactive cmd.exe *
* *
* *
* *
* 2). in the new cmd windows, issue db2cmd *
* *
* *
* *
* 3). connect to test -> it shows the auth id is SYSTEM. You *
* can then grant. *
* *
* Upgrade to DB2 V97 FP2 when available *
**************************************************************** |
| Local Fix: |
(1). Drop Tools Catalog db that was created during install, and
recreate it. The creator will have DBADM and SECADM access to
this database.
(2). If you do not want to recreate the db, follow the steps
provided below to grant SECADM to a specified user after the
install.
What the customer needs to do is to start a command prompt
window as LocalSystem and issue the grant from the window to the
id of their
choosing.
1). from a command window, issue 'at' command with a future
time (say 1 min later), for example,
C:\Documents and Settings\ at 10:35 /interactive cmd.exe
2). in the new cmd windows, issue db2cmd
3). connect to test -> it shows the auth id is SYSTEM. You can
then grant. |
| available fix packs: |
DB2 Version 9.7 Fix Pack 2 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 3a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 5 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 6 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9a for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.7 Fix Pack 10 for Linux, UNIX, and Windows
|
| Solution |
|
| Workaround |
not known / see Local fix |
| BUG-Tracking |
forerunner : APAR is sysrouted TO one or more of the following: IC67006
follow-up : |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 27.10.2009
14.05.2010
14.05.2010 |
| Problem solved at the following versions (IBM BugInfos) |
9.7.FP2
|
| Problem solved according to the fixlist(s) of the following version(s) |
| 9.7.0.2
|
 |
