DB2 - Problem description
Problem IC69906 | Status: Closed |
USE TRUSTED CONTEXT CONNECT AUTHORIZATION BASE UPON CONNECTION USING SYSTEM AUTHORIZATION ID | |
product: | |
DB2 FOR LUW / DB2FORLUW / 970 - DB2 | |
Problem description: | |
One of the capabilities trusted contexts provide is the ability for the user of that trusted context to inherit a database role. For example, a customer could choose to grant SELECT privilege on the payroll table to a role and make that role available only through a trusted context. That is, users will not be able to take advantage of the role (and consequently the SELECT privilege on the payroll table) when they are operating outside the scope of that trusted context. Prior to 9.7 fixpak 3, roles inherited through trusted contexts were not taken into account when checking for CONNECT privilege at database connection time. This restriction is being removed in 9.7 FP3. One immediate application of this enhancement is the ability to restrict where an end user might connect to the database from. For example, suppose the security administrator has a requirement to allow user newton to connect to the database only from IP address a.b.c.d. To implement this requirement, the security administrator first makes sure that CONNECT privilege is not granted to PUBLIC and is not granted to user newton or to any role or a group he is a member of. They also make sure user newton does not hold a database or database manager authority that has implicit CONNECT privilege to the database (e.g., DBADM or SYSADM). Then, they create a role R and grant CONNECT privilege to that role. Next, they create a trusted context object for user newton that offers role R when newton connects to the database from IP address a.b.c.d. That is it! The security administrator has now implemented the requirement. | |
Problem Summary: | |
Local Fix: | |
available fix packs: | |
DB2 Version 9.7 Fix Pack 3 for Linux, UNIX, and Windows | |
Solution | |
Workaround | |
not known / see Local fix | |
Comment | |
USE TRUSTED CONTEXT CONNECT AUTHORIZATION BASE UPON CONNECTION USING SYSTEM AUTHORIZATION ID | |
BUG-Tracking | |
forerunner : APAR is sysrouted TO one or more of the following: IC70318 IC78060 follow-up : | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 14.07.2010 23.09.2010 23.09.2010 |
Problem solved at the following versions (IBM BugInfos) | |
Problem solved according to the fixlist(s) of the following version(s) | |
9.7.0.3 | |
9.7.0.3 |