Previous Topic: Connector Specific FeaturesNext Topic: IBM DB2 UDB for z/OS Connector

CA Identity Manager Connector GuidesConnectors GuideConnecting to EndpointsIBM DB2 UDB ConnectorConnector Specific FeaturesDB2 Provisioning Roles and Account Templates

DB2 Provisioning Roles and Account Templates

By defining account templates for the underlying operating system to a provisioning role, you can manage the operating system accounts and groups while managing the authorization name of the DB2 UDB database. Therefore, provisioning roles and account templates let you manage all the aspects of the DB2 UDB database security.

The DB2 UDB Default Policy, provided with the DB2 UDB Connector, gives a user the minimum security level needed to access an endpoint. You can use it as a model to create new account templates.

Create Account Templates

The Default Account Template, provided with each connector, gives a user the minimum security level needed to access an endpoint. You can use it as a model to create new account templates.

To create an account template

  1. Click the Provisioning Roles task button, select the connector's Account Template in the Object Type drop-down list box and click New.

    The Account Template Property Sheet for the specified connector appears.

  2. Complete the Account Template Property Sheet by:
    1. Selecting an endpoint to populate the drop-down and group selection lists.
    2. Selecting group memberships and other account settings.
    3. Clicking OK.

    A new account template is created for your connector.

DB2 UDB Users

In CA Identity Manager DB2 UDB Users give users access to the resources on an endpoint. CA Identity Manager lets you manage all DB2 UDB database authorization names of the type User from the Endpoint type task view. Use the DB2 UDB User property sheet when managing your users.

DB2 UDB Groups

CA Identity Manager lets you create and maintain DB2 UDB authorization names of the type Group using the Endpoint type task view. Use the DB2 UDB Group property sheet when managing your groups.

Add New Endpoint Request

When the DB2 Connector receives an 'Add new endpoint' request, it:

  1. Catalogs a new DB2 Local or TCP/IP node for the instance.
  2. Catalogs a new DB2 Database entry for the database.
  3. Configures an ODBC system data source for the database.
How to Synchronize an Account from an Account Template

These are the rules for account synchronization from an account template in the DB2 Connector.

  1. During the account synchronization process, when there are multiple account templates associated with a DB2 account, the DB2 connector merges those account templates to generate an intermediate effective account template. During the merge, if there are conflicting settings with the same authority, database privilege, or object privilege among the different account templates, the DB2 Connector selects the setting with the highest restriction.

    For example, if Account Template One grants DBADM and Account Template Two does not, the effective account template does not grant DBADM. Another example: If Account Template One grants CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but Account Template Two revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the effective account template grants only SELECT on view SYSCAT.ATTRIBUTES and revokes CONTROL from SYSCAT.ATTRIBUTES.

  2. If one of the merged account templates is set to use strong synchronization, the DB2 Connector applies the effective account template to the account using strong synchronization. If not, the effective account template uses weak synchronization.
  3. For strong synchronization, the DB2 Connector replaces the account's authorities and privilege settings with that of the effective account template.
  4. For weak synchronization, if there is a difference between the account settings and the effective account template, the DB2 Connector uses the setting that has the higher restriction.

    For example, if an account is granted DBADM, and the effective account template does not grant DBADM, the account will not be granted DBADM. If an account is not granted DBADM and the effective account template grants DBADM, the account will still not be granted DBADM.

    Another example: If an account is granted CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but the effective account template revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the account is granted only SELECT on view SYSCAT.ATTRIBUTES and CONTROL is revoked from SYSCAT.ATTRIBUTES.

    When checking account or account template synchronization, the same process of generating effective account template applies, as do the rules of comparison. If you are going to synchronize account settings with the effective account template, and the account's authority and privilege settings do not change, the DB2 Connector considers the account synchronized with its associated account templates.