Quick Beginnings for DB2 Connect Enterprise Edition

Working with the System Administrative Group

By default, System Administrative (SYSADM) authority is granted to the following:

OS/2

Any valid DB2 user ID which belongs to the Administrator or Local Administrator group.

UNIX

Any valid DB2 username that belongs to the primary group of the instance owner's user ID.

Windows 95 and Windows 98

Any Windows 95 or Windows 98 user.

Windows NT

Any valid DB2 user account which belongs to the local Administrators group.

You can change the users who have SYSADM privileges for each DB2 instance by changing the sysadm_group parameter; but before you do, ensure that the group exists.

To check to see if this group exists, do the following:

• For Windows NT users: Use the Windows NT User Manager Administrative Tool.

• For OS/2 users: Use a UPM administrator user ID to create groups and assign membership. For information on using UPM, see Chapter 42. Administering and Using OS/2 User Profile Management on OS/2 Systems.

The sysadm_group parameter is not used for the Windows 95 operating system.

• To change the System Administrative group (sysadm_group) on the server instance: (For OS/2 and Windows NT workstations.)

  1. Start the Control Center.

  2. Click on the [+] sign beside the Systems icon to list all the systems known to your workstation.

  3. Click on the [+] sign for the system that contains the instance you want to update.

  4. Select the instance that you want to change the sysadm_group parameter for and click on the right mouse button.

  5. Select the Configure option.

  6. Select the Administration tab.

  7. Select the parameter you want to change and enter the name of an existing group that you want to assign this privilege to in the Value box.

  8. Click on OK.

  9. Stop and Start the database instance.

• To change the System Administrative group (sysadm_group) on the client instance: (For OS/2 and Windows NT workstations.)

  1. Start the Client Configuration Assistant (CCA).

  2. Click on the Client Settings push button.

  3. Select the Administration tab.

  4. Select the parameter you want to change and enter the name of an existing group that you want to assign this privilege to in the Value box.

  5. Click on OK.

  6. Stop all applications that are using DB2, including the CCA. When restarted they will be using the new value for sysadm_group.

• Using the command line processor:

  To change the System Administrative group (sysadm_group) parameter to dbadmin on the server instance, use:

     update
  dbm cfg using sysadm_group dbadmin    db2stop    db2start
  

  To change the System Administrative group (sysadm_group) parameter to dbadmin on the client instance, use:

     update dbm cfg using sysadm_group
   dbadmin    terminate
  

  Stop all applications that are using DB2. When restarted they will be using the new value for sysadm_group.

Granting Users Authorization

For applications to access databases, DB2 performs two types of checking:

Authentication

Ensures that the user account and password are valid.

Authorization

Ensures that the user has sufficient authority to perform a task.

This section discusses the authorization process used in a Windows NT domain environment. For more information on authentication and authorization, refer to the Administration Guide.

When performing administration tasks (such as cataloging the database directory or creating a database) System Administrative (SYSADM) authority is required. By default, any user belonging to the Administrators group where the user account is defined has SYSADM authority.

In a Windows NT domain environment, only domain users that belong to the Administrators group at the Primary Domain Controller (PDC) have SYSADM authority. Adding a domain user to the local Administrators group on the server machine does not grant the domain user SYSADM authority, since DB2 always performs authorization at the machine where the account is defined. To avoid adding a domain user to the Administrators group of the Primary Domain Controller, perform the following steps:

1. Create a new global group. The name of the global group must be eight characters or less and comply with DB2's naming rule. For more information, see Appendix G. Naming Rules.

2. Add a domain user to this global group.

3. Grant SYSADM authority to this global group by entering the following command:

      db2 update database manager configuration using sysadm_group global_group_name
   

   where global_group_name is the name of the global group that you created.

[ DB2 List of Books | Search the DB2 Books ]