A quick tour of user accounts in DB2

User accounts determine who can access the data and who owns the data.

For DB2, user accounts are created at the operating system or network level.

User access

Your database must be able to verify the user accounts that attempt to connect to it. That means the database administrator has to add users to the database. The database checks the list of users to make sure a user is allowed to make a connection. This process is called authentication.

There are two types of authentication used with DB2 databases: operating system authentication and database authentication.

Operating system (OS) authentication indicates a user logs in to the computer, and the credentials for authorization are supplied to the database by the operating system of the user's computer. For the connecting user, that means he or she only has to log in at his or her computer and does not have to log in separately to the database. For the database administrator, this means the existing login must be added to the database and the database must be configured to recognize the user's existing login.

If you use database authentication, users log in to the server and then must separately log in to the database.

NoteNote:
Although DB2 does not have database user accounts, you still have the option to use database authentication, in which case you choose Database Authentication when making a connection from ArcGIS. Doing so allows you to save the specific user name and password of a user. You can also configure your DB2 database to use operating system authentication, in which case you choose Operating System Authentication when making a connection from ArcGIS, and the database uses the credentials of the user logged in to the operating system to connect.

Once users are added, the administrative user must also grant specific privileges to users to determine what they can and cannot do in the database. The database checks these privileges when an authenticated user tries to access or alter the database. This process is called authorization.

The types of privileges granted to a user are based on the type of work the user needs to perform. Some users only need to connect to the database and view specific data. Other users need to create new datasets. One or more users need to administer the geodatabase. For more information on administrative and other user permissions, see The geodatabase administrator DB2 and User privileges for geodatabases in DB2.

Data ownership

The user who creates tables in the database management system (DBMS) owns those tables. For example, the geodatabase administrator creates the geodatabase; therefore, the geodatabase system tables that are created in the DBMS at that time are owned by the geodatabase administrator. Similarly, a user who creates a feature class owns that feature class.

The user name used to make the connection to the geodatabase at the time the tables are created is the one who owns the data.

For instance, part-time staff members Boris and Basil are allowed to create data in the geodatabase. Boris and Basil use the same computer. If both use Basil's account to connect to the geodatabase in ArcCatalog, all datasets created by either Boris or Basil will be owned by Basil and stored in his schema.

If Boris wants the data he creates to be stored in his schema, he must alter the database connection properties and connect to the database with his own user name before he starts creating data.

Knowing who owns the data is important because you cannot remove a user account from the database if the user owns data, and it is the user who created the dataset who controls the level of access other users have to the dataset.

Related Topics

11/6/2014