Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Network trusted context is an object that gives users a specific set of privileges. It is available<br />
when the user connects to the database through a trusted connection. An example is in a web<br />
application environment. The application receives a trusted connection through the trusted<br />
context. Then users can have their identity passed to the database server. With this trusted<br />
context, you can then create a unique set of interactions between DB2 and your application.<br />
DB2 extends the trusted context concept to optionally assign a default role to a trusted<br />
context and optionally assign a role to a user of the context. A role is a database object that<br />
groups together one or more privileges. It can be assigned to users or objects, if objects are<br />
created in a trusted context, with the role defined as the owner, by specifying the ROLE AS<br />
OBJECT OWNER clause in the trusted context definition. Databases, table spaces, tables,<br />
indexes, and views can be implemented in a trusted context with a role as the owner of the<br />
created objects. A role is only available within a trusted context. You can define a role for a<br />
trusted context and assign it to authorization IDs. When associated with a role, and using the<br />
trusted connection, an authorization ID inherits all the privileges that the role grants.<br />
8.5.1 Attributes of a trusted context<br />
A trusted context is an independent database entity that is based on a system authorization<br />
ID and connection trust attributes.<br />
The system authorization ID is a DB2 primary authorization ID that is used to establish the<br />
trusted connection. A SYSTEM AUTHID for a connection can be associated only with a single<br />
trusted context, ensuring that there is always a clear mapping between a specific connection<br />
and a specific trusted context.<br />
The connection trust attributes are ADDRESS, SERVAUTH, ENCRYPTION, and JOBNAME.<br />
They identify specific connections to consider as part of the trusted context. Any defined<br />
ADDRESS, SERVAUTH, or JOBNAME must also be unique in a trusted context.<br />
A trusted connection can be established for a local or a remote application. The attributes<br />
used to establish a trusted context are different for remote versus local applications.<br />
Additional information: For more information, see Securing DB2 and Implementing MLS<br />
on z/OS, SG24-6480.<br />
8.5.2 How a trusted connection works<br />
A trusted connection is a database connection that is established when the incoming<br />
connection attributes match the attributes of a unique, enabled trusted context defined at the<br />
server. The trust attributes identify a set of characteristics about the specific connection that<br />
are required for the connection to be considered a trusted connection.<br />
The relationship between a connection and a trusted context is established when the<br />
connection to the server is first created and that relationship remains for the life of that<br />
connection. If a trusted context definition is altered, the changed attributes of the trusted<br />
context take effect when the next new connection request comes in, or when a switch user<br />
request is issued within an existing trusted connection.<br />
Chapter 8. Security enhancements of DB2 10 for SAP solutions 133