You may want to monitor, control, or
prevent access to data by database administrators (users holding DBADM
authority).
Monitoring access to data
You can use the DB2® audit facility to monitor access
by database administrators. To do so, follow these steps:
- Create an audit policy that monitors the events
you want to capture for users who hold DBADM authority.
- Associate this audit policy with the DBADM authority.
Controlling access to data
You can use trusted
contexts in conjunction with a role to control access by database
administrators. To do so, follow these steps:
- Create a role and grant DBADM authority to that role.
- Define a trusted context and make the role the default role for
this trusted context.
Do not grant membership in the role to any
authorization ID explicitly. This way, the role is available only
through this trusted context and a user acquires DBADM capability
only when they are within the confines of the trusted context.
- There are two ways you can control how users access the trusted
context:
- Implicit access: Create a unique trusted context for each user.
When the user establishes a regular connection that matches the attributes
of the trusted context, they are implicitly trusted and gain access
to the role.
- Explicit access: Create a trusted context using the WITH USE FOR
clause to define all users who can access it. Create an application
through which those users can make database requests. The application
establishes an explicit trusted connection, and when a user issues
a request, the application switches to that user ID and executes the
request as that user on the database.
If you want to monitor the use of this trusted context,
you can create an audit policy that captures the events you are interested
in for users of this trusted context. Associate this audit policy
with the trusted context.
Preventing access to data
To
prevent access to data in tables, choose one of these options: