Wednesday, July 6, 2011

Whats with DBADM in DB2 9.7

DB2 seems to have taken the 'separation of duties' principal to heart. This is really good from a security point of view. Starting with 9.7, the database administrator authority (DBADM), by itself, no longer has implicit access to DB2 data! It means, admins can no longer *see* sensitive data (this credit card nos..) stored in the database.
Another authority called DATAACCESS was introduced which does have implicit access to data. When granting someone DBADM, the default is still to grant DATAACCESS, but this can be changed using
GRANT DBADM WITHOUT DATAACCESS

 

No comments:

Post a Comment