Before attaching to a DB2 instance, or connecting to a DB2 database, users must authenticate. Authentication is the process of validating that users are who they claim to be. You can configure DB2 to authenticate users via the operating system, via a Lightweight Directory Access Protocol (LDAP) server, or via Kerberos. Additionally, DB2 supports custom authentication plug-ins, so you have the flexibility to configure DB2 to more closely match your specific authentication needs.
After a user is authenticated, DB2 performs an authorization check. Authorization is the process where the DB2 database manager verifies that a user is authorized to perform certain operations on specific data or resources. Users can be granted specific privileges to a given data resource or be given pre-defined roles known as authorities. DB2 also allows you to create your own database roles to bundle several privileges together so you can grant them at once to a user or group.
Trusted contexts provide a way to build faster and more secure three-tier applications. Trusted contexts address many security concerns in the three-tier application model, such as loss of user's identity, user accountability, and the granting of unnecessary privileges to access certain information. Under DB2 trusted contexts, the user's identity is sent to DB2 within a trusted connection for audit and authorization purposes. Additionally, trusted contexts allow you to control when certain users can exercise the privileges granted to them. For example, you may use trusted contexts to limit a user to connecting to the database from certain IP addresses.
DB2 includes an audit facility that allows you to monitor data access and provides information needed for subsequent analysis. Auditing can help discover unwanted, unknown, and unacceptable access to the data as well as keep history records of the activities on the database system.
Row and Column Access Control
DB2 includes Row and Column Access Control for fine-grained security. You can use Row and Column Access Control to restrict the rows and mask the columns that a user sees. The access control is transparent to the user; they are not aware of the existence of the unauthorized rows.
Label-Based Access Control
For the ultimate data access control, DB2 includes Label Based Access Control (LBAC). LBAC provides multi-level security for managing classified data. Once the LBAC rules have been defined, data access control is managed by DB2 and is completely transparent to the user.
You can prevent hackers from seeing your data while it's being transmitted through the network using DB2 encryption mechanisms. DB2 supports encryption of user ID, password and data while in transit. You can also use the DB2 Secure Socket Layer (SSL) capability to encrypt your client-to-server communication using state-of-the-art encryption technology.
DB2 Security Highlights
Learn about row and column access control, which offers security access enforcement on your data, at the row or column level, or both.