DB2 Version 9.7 for Linux, UNIX, and Windows

Security considerations for Active Directory

The DB2® database and node objects are created under the computer object of the machine where the DB2 server is installed in the Active Directory. To register a database server or to catalog a database in the Active Directory, you must have sufficient access to create or update the objects under the computer object.

By default, objects under the computer object are readable by any authenticated users and can be updated by administrators (users that belong to the Administrators, Domain Administrators, and Enterprise Administrators groups). To grant access for a specific user or a group, use the Active Directory Users and Computer Management Console (MMC) as follows:

  1. Start the Active Directory Users and Computer administration tool

    (Start-> Program-> Administration Tools-> Active Directory Users and Computer)

  2. Under View, select Advanced Features
  3. Select the Computers container
  4. Right click on the computer object that represents the server machine where DB2 is installed and select Properties
  5. Select the Security tab, then add the required access to the specified user or group

The DB2 registry variables and CLI settings at the user level are maintained in the DB2 property object under the user object. To set the DB2 registry variables or CLI settings at the user level, a user needs to have sufficient access to create objects under the User object.

By default, only administrators have access to create objects under the User object. To grant access to a user to set the DB2 registry variables or CLI settings at the user level, use the Active Directory Users and Computer Management Console (MMC) as follows:

  1. Start the Active Directory Users and Computer administration tool

    (Start-> Program-> Administration Tools-> Active Directory Users and Computer)

  2. Select the user object under the Users container
  3. Right click on the user object and select Properties
  4. Select the Security tab
  5. Add the user name to the list by using the Add button
  6. Grant "Write", and "Create All Child Objects" access
  7. Using the Advanced setting, set permissions to apply onto "This object and all child objects"
  8. Select the check box "Allow inheritable permissions from parent to propagate to this object"
Parent topic: Windows Active Directory