DB2 Admin rights granted to all local administrators?

Jim Youmans
Jim Youmans used Ask the Experts™
on
DB2 10.5 on Windows Server 2012 R2.

Trying to figure out how security works with DB2 and Windows.  My main concern is the Server Admin group.  Here is what is confusing me.

By default, system administrative (SYSADM) authority is granted to any valid DB2® user account that belongs to the Administrators group on the computer where the account is defined. If the account is a local account, then it must belong to the local Administrators group. If the account is a domain account, then it must belong to the Administrators group at the domain controller or the local Administrators group. (https://www.ibm.com/support/knowledgecenter/en/SSEPGG_9.7.0/com.ibm.db2.luw.qb.server.doc/doc/c0008762.html)

What does this mean?  On my server when I look at the Local Users and Groups and look at the Administrators group, I see 4 or 5 domain groups that need to be admin on the server but I don't want them to by admins in DB2.

Is this saying that everyone in the Administrator group on the server is also an admin in DB2?

Thanks.

Jim
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi Jim,

That's an accurate assessment.  

You should be able to revoke the privilege, though.

  REVOKE SYSADM FROM user;


Kent
Database Administrator / Software Engineer
Commented:
Hi,

If extended security is enabled you need to put the local users and/or domain users/groups that identifies the DB2 admins into the Windows DB2ADMNS group and users/usergroup in the DB2USERS. Please read the manual carefully before applying the extended security.
Also adding the DB2ADMNS or the desired  domain-group (if extended security is not used) to the database instances SYS* groups ( SYSADM_GROUP,SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP ) will only allow those administrators belonging to that group to maintain the databases on that instance as stated in the manual you linked


 Since the DB2 database server always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to this group, unless DB2_GRP_LOOKUP=local is set.
To avoid adding a domain user to the Administrators group at the domain controller, create a global group and add the domain users to which you want to grant SYSADM authority to it. Then update the DB2 configuration parameter SYSADM_GROUP with the name of the global group.

Regards,
     Tomas Helgi
Tomas Helgi JohannssonDatabase Administrator / Software Engineer

Commented:
Hi,

Do you need any more assistance or clarification on this issue ?

Regards,
     Tomas Helgi

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial