How to Grant All Privileges to Local db2admin with DB2 9.7 on Windows

db2permissionswindows

I have as my developer station a laptop with OS Windows XP Professional Edition, Service Pack 3.

I have downloaded and installed IBM DB2 UDB 9.7 fix pack 4, of the Express-C edition.

I have a local Windows account called db2admin that I am using as my local database administrator for my local install of DB2 (developer purposes only).

I can run the following without issues when running the Command Window:

db2 attach to db2 user db2admin using xxxxxxxxxx

That allows me to attach to my instance called DB2.

I can run my create database commands.

I then attempt to connect to the database to grant all privileges for my db2admin account in DB2.

db2 CONNECT TO MYDB;
SET SCHEMA DB2ADMIN;
db2 GRANT DBADM,CREATETAB,BINDADD,CONNECT,CREATE_NOT_FENCED_ROUTINE,IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,QUIESCE_CONNECT,SECADM ON DATABASE TO USER DB2ADMIN;
CONNECT RESET;

However when I run that, it DB2 tells me that my actual windows user account (synprgcma) does not have authority to grant authority to user db2admin.

So if I change the second script to the following:

db2 CONNECT TO MYDB USER db2admin USING xxxxxxxx;
SET SCHEMA DB2ADMIN;
db2 GRANT DBADM,CREATETAB,BINDADD,CONNECT,CREATE_NOT_FENCED_ROUTINE,IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,QUIESCE_CONNECT,SECADM ON DATABASE TO USER DB2ADMIN;
CONNECT RESET;

Then DB2 tells me that db2admin cannot revoke or grant authority to itself (actually it tells me that an id cannot revoke or grant authority to itself).

So I am stumped. I did not have this problem with my previous install of DB2 (9.5, and I don't remember which fix pack I was at).

How do I grant the necessary authorities to the local admin account? I believe I need this in order to run a bind command that I need to do next:

db2 CONNECT TO MYDB;
db2 bind @db2cli.lst blocking all grant public sqlerror continue CLIPKG 20;
db2 CONNECT RESET;

Any help would be appreciated.

Edit: I've found some of the following links related to this. Still not sure yet how to get it working, but at least I've found some
documentation.

http://www.db2teamblog.com/2009/06/whats-new-in-db2-97.html

http://lpetr.org/blog/archives/simplify-the-db2-9-7-security-model

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.sql.ref.doc%2Fdoc%2Fr0000958.html

http://www.ibm.com/developerworks/forums/thread.jspa?messageID=14288459

http://publib.boulder.ibm.com/infocenter/tivihelp/v4r1/index.jsp?topic=%2Fcom.ibm.tpc_V422.doc%2Ffqz0_t_preparing_to_install_db2_windows.html

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0055206.html

http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0005479.html

Best Answer

Based on the last above links in my edit to my question I found my answer. I cannot tweak the system account since our logons to our system are from an LDAP and I cannot control the groups and what not.

So I did the following:

Opened the DB2 GUI (was easiest to do this way).
Connected to the desired database as db2admin.
Added my logon to the database as a user.
GRANT all authorities to that id (my id).
Disconnect.
Connect to the desired database as my id.
GRANT all authorities to db2admin.
Disconnect.

Voila! The db2admin logon now as all authorities.

EDIT: I'm going to leave the above as it helped me learn how to do some interesting stuff in DB2. However, I have learned that the DBADM/SECADM with DATAACCESS and ACCESSCTRL authorities granted the instance owner (in my case the db2admin id) have all the authority needed to interact with the database. I could have actually just commented out those grant lines above in the script. Those were left over from a script which ran against an older version of DB2. I have also found if I need to have the instance owner DBADM after doing a restore to database A from database B, it is easiest just to set the registry variable DB2_RESTORE_GRANT_ADMIN_AUTHORITY to YES (available in Fix Pack 2 and above). Then I don't have to try to grant instance owner DBADM. It automatically is granted that to any database restored into the instance. If you are not at Fix Pack 5, you have to bounce the instance for this to take affect.

Related Solutions

Disable Security in DB2 Express on Windows 7

The short answer to this problem is that you need to set the DB2 registry variable DB2_GRP_LOOKUP to local.

As a local administrator on your PC (i.e. not using your domain account), start a DB2 Command Window and issue the following:

db2set DB2_GRP_LOOKUP=local
db2stop
db2start

The reason this occurs has to do with how DB2 enumerates which groups a user belongs to upon successful authentication. In a Windows Domain environment, the default group enumeration behavior is to ask the system that authenticated the user: If a user is authenticated by the local machine, DB2 asks the local machine what groups belongs to; if the user is authenticated by the domain, DB2 will ask the domain what groups the user belongs to - and it will not ask the local machine.

So, when you connect to DB2 using your domain ID, DB2 asks the domain controller what groups you belong to, so it does not see that your ID belongs to the Administrators group on your local PC.

When you set DB2_GRP_LOOKUP=local, this modifies this behavior: It tells DB2 to always enumerate groups from the local machine, regardless of whether the user was authenticated by the domain or the local machine.

After doing this, DB2 will see that your Domain ID belongs to the local Administrators group, and you'll end up with full SYSADM privileges (and the ability to create a database).

DB2 DBM paramter NUMDB has value 8. Should I change it to 1 because I have only one database

Information Center is pretty reliable, and I don't see any indication that it will divide memory for non-existent databases. Do you have another link that indicates that?

Otherwise, it is meant to be the maximum number of allowable activated/connected to databases. So there is no need to set it high (I believe by default it is set to something like 12).

Based on the page you have, it is recommended that you set it to the number of databases you have + 10% for room for growth. So if you have 1 database, you would want 1 database + 10% (which in this case would round up) so you would set it to 2.

The reason I believe IBM recommends this, is that you can sometimes get caught with NUMDB less than your number of databases. We have had this happen to us on several occasions in our development and QAT environments. We set the number of databases to something like 9 or 10. And then the developers decided they needed another database. We DBA's ran the CREATE DATABASE script like usual and it didn't fail. However, when the developers tried to access the new database, they got errors (I don't remember the exact SQLCODE off the top of my head). And it turned out we needed to up the value of NUMDB as we had reached the maximum number of activated/connected databases.

So I would follow IBM's recommendation, which in your case would be to set NUMDB to 2. This gives you what you need with some room for growth.

I think this also might not be a "hot" setting, thus requiring you to run db2stop and db2start for it to take affect.

Best Answer

Related Solutions

Disable Security in DB2 Express on Windows 7

DB2 DBM paramter NUMDB has value 8. Should I change it to 1 because I have only one database

Related Question