DB2 10.5 for Linux, UNIX, and Windows

Extended Windows security using the DB2ADMNS and DB2USERS groups

Extended security is enabled by default in all DB2® database products on Windows operating systems except IBM® Data Server Runtime Client and DB2 Drivers. IBM Data Server Runtime Client and DB2 Drivers do not support extended security on Windows platforms.

An Enable operating system security check box appears on the Enable operating system security for DB2 objects panel when you install DB2 database products. Unless you disable this option, the installer creates two new groups, DB2ADMNS and DB2USERS. DB2ADMNS is the DB2 Administrators Group and DB2USERS is the DB2 Users Group. DB2ADMNS and DB2USERS are the default group names; optionally, you can specify different names for these groups at installation time (if you select silent installation, you can change these names within the installation response file). If you choose to use groups that exist on your system, be aware that the privileges of these groups are modified. They are given the privileges, as required, listed in the table, below. It is important to understand that these groups are used for protection at the operating-system level and are in no way associated with DB2 authority levels. However, the DB2 Administrators Group (ex. DB2ADMNS) is used as the default group for SYSADM, SYSMAINT, and SYSCTRL when no values are specified for database manager configuration parameters SYSADM_GROUP, SYSMAINT_GROUP and SYSCTRL_GROUP. It is recommended that if you are specifying a SYSADM group, then that group should be the DB2 Administrators Group. This setting can be established after installation, by an administrator.

Note: You can specify your DB2 Administrators Group (DB2ADMNS or the name you chose during installation) and DB2 Users Group (DB2USERS or the name you chose during installation) either as local groups or as domain groups. Both groups must be of the same type, so either both local or both domain.

If you change the computer name, and the computer groups DB2ADMNS and DB2USERS are local computer groups, you must update the DB2_ADMINGROUP and DB2_USERSGROUP global registries. To update the registry variables after renaming and restarting the computer run the following command:

Open a command prompt.

Run the db2extsec command to update security settings:

db2extsec -a new computer name\DB2ADMNS -u new computer name\DB2USERS

Note: If extended security is enabled in DB2 database products on Windows 7, only users that belong to the DB2ADMNS group can run the graphical DB2 administration tools. In addition, members of the DB2ADMNS group need to launch the tools with full administrator privileges. This is accomplished by right-clicking on the shortcut and then choosing "Run as administrator".

Abilities acquired through the DB2ADMNS and DB2USERS groups

The DB2ADMNS and DB2USERS groups provide members with the following abilities:

DB2ADMNS
Full control over all DB2 objects (see the following list of protected objects)
DB2USERS
Read and Execute access for all DB2 objects located in the installation and instance directories, but no access to objects under the database system directory and limited access to IPC resources

For certain objects, there may be additional privileges available, as required (for example, write privileges, add or update file privileges, and so on). Members of this group have no access to objects under the database system directory.
Note: The meaning of Execute access depends on the object; for example, for a .dll or .exe file having Execute access means you have authority to execute the file, however, for a directory it means you have authority to traverse the directory.

Ideally, all DB2 administrators should be members of the DB2ADMNS group (as well as being members of the local Administrators group), but this is not a strict requirement. Everyone else who requires access to the DB2 database system must be a member of the DB2USERS group. To add a user to one of these groups:

Launch the Users and Passwords Manager tool.
Select the user name to add from the list.
Click Properties. In the Properties window, click the Group membership tab.
Select the Other radio button.
Select the appropriate group from the drop-down list.

Adding extended security after installation (db2extsec command)

If the DB2 database system was installed without extended security enabled, you can enable it by executing the command db2extsec. To execute the db2extsec command you must be a member of the local Administrators group so that you have the authority to modify the ACL of the protected objects.

You can run the db2extsec command multiple times, if necessary, however, if this is done, you cannot disable extended security unless you issue the db2extsec -r command immediately after each execution of db2extsec.

Removing extended security

CAUTION:

Do not remove extended security after it has been enabled unless absolutely necessary.

You can remove extended security by running the command db2extsec -r, however, this will only succeed if no other database operations (such as creating a database, creating a new instance, adding table spaces, and so on) have been performed after enabling extended security. The safest way to remove the extended security option is to uninstall the DB2 database system, delete all the relevant DB2 directories (including the database directories) and then reinstall the DB2 database system without extended security enabled.

Protected objects

The static objects that can be protected using the DB2ADMNS and DB2USERS groups are:

File system
- File
- Directory
Services
Registry keys

The dynamic objects that can be protected using the DB2ADMNS and DB2USERS groups are:

IPC resources, including:
- Pipes
- Semaphores
- Events
Shared memory

Privileges owned by the DB2ADMNS and DB2USERS groups

The privileges assigned to the DB2ADMNS and DB2USERS groups are listed in the following table:

Table 1. Privileges for DB2ADMNS and DB2USERS groups
Privilege	DB2ADMNS	DB2USERS	Reason
Create a token object (SeCreateTokenPrivilege)	Y	N	Token manipulation (required for certain token manipulation operations and used in authentication and authorization)
Replace a process level token (SeAssignPrimaryTokenPrivilege)	Y	N	Create process as another user
Increase quotas (SeIncreaseQuotaPrivilege)	Y	N	Create process as another user
Act as part of the operating system (SeTcbPrivilege)	Y	N	LogonUser
Generate security audits (SeSecurityPrivilege)	Y	N	Manipulate audit and security log
Take ownership of files or other objects (SeTakeOwnershipPrivilege)	Y	N	Modify object ACLs
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)	Y	N	Modify the process working set
Backup files and directories (SeBackupPrivilege)	Y	N	Profile/Registry manipulation (required to perform certain user profile and registry manipulation routines: LoadUserProfile, RegSaveKey(Ex), RegRestoreKey, RegReplaceKey, RegLoadKey(Ex))
Restore files and directories (SeRestorePrivilege)	Y	N	Profile/Registry manipulation (required to perform certain user profile and registry manipulation routines: LoadUserProfile, RegSaveKey(Ex), RegRestoreKey, RegReplaceKey, RegLoadKey(Ex))
Debug programs (SeDebugPrivilege)	Y	N	Token manipulation (required for certain token manipulation operations and used in authentication and authorization)
Manage auditing and security log (SeAuditPrivilege)	Y	N	Generate auditing log entries
Log on as a service (SeServiceLogonRight)	Y	N	Run DB2 as a service
Access this computer from the network (SeNetworkLogonRight)	Y	Y	Allow network credentials (allows the DB2 database manager to use the LOGON32_LOGON_NETWORK option to authenticate, which has performance implications)
Impersonate a client after authentication (SeImpersonatePrivilege)	Y	N	Client impersonation (required for Windowsto allow use of certain APIs to impersonate DB2 clients: ImpersonateLoggedOnUser, ImpersonateSelf, RevertToSelf, and so on)
Lock pages in memory (SeLockMemoryPrivilege)	Y	N	Large Page support
Create global objects (SeCreateGlobalPrivilege)	Y	Y	Terminal Server support (required on Windows)