Previous Topic: Add New Endpoint RequestNext Topic: IBM DB2 UDB for z/OS Connector

Connector GuidesConnectors GuideConnecting to EndpointsIBM DB2 UDB ConnectorConnector-Specific FeaturesHow to Synchronize an Account from an Account Template

How to Synchronize an Account from an Account Template

These are the rules for account synchronization from an account template in the DB2 Connector.

  1. During the account synchronization process, when there are multiple account templates associated with a DB2 account, the DB2 connector merges those account templates to generate an intermediate effective account template. During the merge, if there are conflicting settings with the same authority, database privilege, or object privilege among the different account templates, the DB2 Connector selects the setting with the highest restriction.

    For example, if Account Template One grants DBADM and Account Template Two does not, the effective account template does not grant DBADM. Another example: If Account Template One grants CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but Account Template Two revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the effective account template grants only SELECT on view SYSCAT.ATTRIBUTES and revokes CONTROL from SYSCAT.ATTRIBUTES.

  2. If one of the merged account templates is set to use strong synchronization, the DB2 Connector applies the effective account template to the account using strong synchronization. If not, the effective account template uses weak synchronization.
  3. For strong synchronization, the DB2 Connector replaces the account's authorities and privilege settings with that of the effective account template.
  4. For weak synchronization, if there is a difference between the account settings and the effective account template, the DB2 Connector uses the setting that has the higher restriction.

    For example, if an account is granted DBADM, and the effective account template does not grant DBADM, the account will not be granted DBADM. If an account is not granted DBADM and the effective account template grants DBADM, the account will still not be granted DBADM.

    Another example: If an account is granted CONTROL and SELECT with GRANT option on view SYSCAT.ATTRIBUTES, but the effective account template revokes CONTROL from and grants SELECT on view SYSCAT.ATTRIBUTES, the account is granted only SELECT on view SYSCAT.ATTRIBUTES and CONTROL is revoked from SYSCAT.ATTRIBUTES.

    When checking account or account template synchronization, the same process of generating effective account template applies, as do the rules of comparison. If you are going to synchronize account settings with the effective account template, and the account's authority and privilege settings do not change, the DB2 Connector considers the account synchronized with its associated account templates.