Browse Prior Art Database

DB2 Database Security Support Automation Disclosure Number: IPCOM000124724D
Original Publication Date: 2005-May-04
Included in the Prior Art Database: 2005-May-04
Document File: 3 page(s) / 37K

Publishing Venue



The activities associated with DB2 Database Security maintenance are tedious and time consuming. With respect to IBM security requirements, database users must be explicitly permitted to access database tables, and every DB2 database may contain hundreds of tables. With a large number of databases, the opportunity for failure increases exponentially. The current method for changing database permissions is manual, and adding or removing a user to/from many tables is very prone to error. This method promotes a means to avoid these concerns.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

DB2 Database Security Support Automation

A method is disclosed that has been designed as a method and tool that it automates the addition or removal of users completely, ensures no unwanted user privileges exist, and audits database privileges thereby ensuring security requirements are fulfilled.

This method is used for several items:
1. Annual userid revalidation (including removing users no longer needing access)
2. Security audits and reconciliation
3. Granting new user database privileges
4. Removing users no longer requiring database privileges

This method and tool automates the current manual solution, removing tedious detail, ensuring accurate results and successful security audits.

The method is an interactive script which builds and executes statements to revoke and grant DB2 Database privileges. It provides a means to facilitate database security updates and fosters successful audits of the environment. It also identifies valid and non-valid database ID's and revokes database privileges from non-valid ones. The advantage of using this method is that by automating the statement build, a significant time savings is realized, the tedious details are minimized, and minimizes human interaction which promotes error free updates. This method and tool can also be used in support of day-to-day DBA activities by automating the process of granting new user ID' s database access, revalidating current ID's on the database and revoking ID's that are no longer used.

As described in the diagram below, this service method automates several labor intensive DB2 security requirements. First is the database health check, where security violations are reviewed and resolved. The tool automates this health check to ensure compliance in an efficient manner. Second, the tool automates the required annual database ID revalidation process. Finally, it automates grants or removal of DB2 privileges.

The uniqueness of this disclosure includes the following activities:

Scans the database and builds the required security statements to return the database into compliance.

Builds the complete set of privileges required to add a user.

Fully removes the specified user's privileges.


Page 2 of 3

DB2 Database Security Support Automation

Database Security Audit

For each Instance, for each DB, Build Database Security

Audit Scripts

Review Scripts for Accuracy

  Schedule Implementation

Execute Database Security Audit


 Run DB2COPS Security Analyzer to Verify Security Compliance


Userid Revalidation

Build List of DB Id's to Revalidate

 Send Em...