Databases Reference
In-Depth Information
11.3.5.2 DB2
In DB2, subjects can be either single users or groups. The access control
facilities provided by DB2 relies on two main concepts: authorities and privi-
leges. The concept of authority is similar to that of Oracle system privileges in
that an authority is a right to perform a particular administrative operation.
Authorities usually are granted to particular groups rather than to single
users. Several authorities are supported by DB2. The highest authority is the
system administrator authority, usually held by a group, whose members
have the ownership of all the DB2 resources and the ability to execute any
DB2 command. Other authorities include the system maintenance author-
ity, which conveys the right to perform maintenance operations, such as
starting and stopping the DB2 server; the DB administration authority,
which allows subjects to access and modify all the objects in a DB and
to grant other users access authorizations and authorities; and the
CREATETAB authority, which conveys the right to create tables in a DB.
Privileges are similar to the Oracle object privileges. They are rights to
perform a certain action on a particular object in a DB. Privileges can be
granted to both users and groups. When a subject creates an object, such as a
table or a view, it receives the control privilege on it. The control privilege
subsumes all the other privileges supported by DB2 and allows the possibility
of granting any applicable privilege on the considered object to other users
or groups. When a privilege on a table or view is revoked, all the privileges
derived from the revoked privilege are recursively revoked.
11.3.5.3 GemStone
GemStone provides a simple authorization model. Authorizations can be
granted both to single users and groups. The only type of authorization unit
is the segment. A segment groups together a set of objects with the same level
of protection. That implies, for instance, that if a subject has the authoriza-
tion to read a segment, then it can read all the objects within the segment.
Each segment has only one owner, which can grant and revoke authoriza-
tions on the segment. A default segment, whose identifier is stored in the
subject profile, is associated with each subject. Normally, an object is stored
into the default segment of its creator. A subject can transfer objects from
one segment to another and can create new segments, given the appropriate
authorizations. Transferring an object from one segment to another is a
means to change the object accessibility.
Privileges that can be granted on a segment are of two distinct
types: the #read privilege, which allows a subject to read all the objects in a
