DB2 Security

Before attaching to a DB2 instance, or connecting to a DB2 database, users must authenticate. Authentication is the process of validating the user ID and password. DB2 provides you with a set of default security plug-ins to perform user ID and password authentication, group membership lookup, Kerberos authentication, and LDAP authentication. If you decide not to use the default plug-ins, you have the flexibility to develop your own or use third-party loadable plug-in libraries to fit your business need.

After a user is authenticated, DB2 performs an authorization check. Authorization is the process where the DB2 database manager verifies that a user is authorized to perform certain operations on specific data or resources. Users can be granted specific privileges to a given data resource or be given pre-defined roles known as authorities. DB2 also allows you to create your own database roles to bundle several privileges together so you can grant them at once to a user or group.

Trusted contexts provide a way to build faster and more secure three-tier applications. Trusted contexts address many security concerns in the three-tier application model, such as loss of user's identity, user accountability, and the granting of unnecessary privileges to access certain information. Under DB2 trusted contexts, the user's identity is sent to DB2 within a trusted connection for audit and authorization purposes.

DB2 includes an audit facility that allows you to monitor data access and provides information needed for subsequent analysis. Auditing can help discover unwanted, unknown, and unacceptable access to the data as well as keep history records of the activities on the database system.

For the ultimate data access control, DB2 includes an optional add-on feature called Advanced Access Control that uses Label Based Access Control (LBAC) to let you decide exactly who has write access and who has read access to individual rows and individual columns in any given table. Once the LBAC rules have been defined, data access control is managed by DB2 and is completely transparent to the user. For example, a user accessing a table will only see the rows they are authorized to see and DB2 will act as if any unauthorized rows don't exist.

You can prevent hackers from seeing your data while it's being transmitted through the network using DB2 encryption mechanisms. DB2 supports encryption of user ID, password and data while in transit.

DB2 also supports external encryption using Secure Socket Layer (SSL). This provides a secure tunnel or envelope for data being sent between client and server. All communication can be encrypted.