DB2_資料庫角色
目的:
測試DB2資料庫角色,本指令碼摘錄自DB2安裝目錄admin_scripts/databaseroles.db2。
版本:Windows DB2 Express-C V9.7
使用者要求:
作業系統使用者:
mh with password "mh1234" in SYSADM group
john with password "john1234"
joe with password "joe1234"
bob with password "bob1234"
pat with password "pat1234"
操作步驟:
使用"db2cmd db2 -t"進入互動模式,執行後續操作。
0,設定環境
CONNECT TO sample;
-- Create tables TEMP_EMPLOYEE and TEMP_DEPARTMENT under 'mh' schema.
CREATE TABLE mh.TEMP_EMPLOYEE LIKE EMPLOYEE;
CREATE TABLE mh.TEMP_DEPARTMENT LIKE DEPARTMENT;
-- Populate the above created tables with the data from EMPLOYEE & DEPARTMENT tables.
-- export the table data to file 'load_employee.ixf'.
EXPORT TO load_employee.ixf OF IXF SELECT * FROM EMPLOYEE;
-- loading data from data file inserting data into the table TEMP_EMPLOYEE.
LOAD FROM load_employee.ixf of IXF INSERT INTO mh.TEMP_EMPLOYEE;
-- export the table data to file 'load_department.ixf'.
EXPORT TO load_department.ixf OF IXF SELECT * FROM DEPARTMENT;
-- loading data from data file inserting data into the table TEMP_DEPARTMENT.
LOAD FROM load_department.ixf of IXF INSERT INTO mh.TEMP_DEPARTMENT;
1,使用ROLE授予select許可權
-- Connect to sample database using user mh.
CONNECT TO sample user mh using mh1234;
-- Grant SECADM authority to a user JOHN.
GRANT SECADM ON DATABASE TO USER john;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO sample USER john USING john1234;
-- Create role DEVELOPMENT_ROLE. Only a user with SECADM authority can create
-- the role. In this sample user JOHN is assigned SECADM authority and has
-- the privilege to create the roles.
CREATE ROLE development_role;
-- Create tables DEV_TABLE1 and DEV_TABLE2. Any user can create these tables.
-- In the sample these tables are created by user JOHN.
CREATE TABLE dev_table1 (project VARCHAR(25), dept_no INT);
INSERT INTO dev_table1 VALUES ('DB0', 1);
CREATE TABLE dev_table2 (defect_no INT, scheme_repository VARCHAR(25));
INSERT INTO dev_table2 VALUES (100, 'wsdbu');
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user mh(SYSADM).
-- User mh is system administrator(SYSADM).
CONNECT TO sample user mh using mh1234;
-- Grant SELECT privilege on tables DEV_TABLE1 and DEV_TABLE2 to role
-- DEVELOPMENT_ROLE.
GRANT SELECT ON TABLE john.dev_table1
TO ROLE development_role;
GRANT SELECT ON TABLE john.dev_table2
TO ROLE development_role;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO sample user john using john1234;
-- Grant role DEVELOPMENT_ROLE to users JOE and BOB.
GRANT ROLE development_role TO USER joe, USER bob;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOE.
CONNECT TO sample USER joe USING joe1234;
-- User JOE is granted DEVELOPMENT_ROLE role and hence gains select privilege
-- on the tables DEV_TABLE1 and DEV_TABLE2 through membership of this role.
-- SELECT from tables DEV_TABLE1 and DEV_TABLE2 to verify user JOHN has
-- select privileges.
SELECT * FROM john.dev_table1;
SELECT * FROM john.dev_table2;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user BOB
CONNECT TO sample USER bob USING bob1234;
-- User BOB is granted DEVELOPMENT_ROLE role and hence gains select privilege
-- on the tables DEV_TABLE1 and DEV_TABLE2 through membership of this role.
-- SELECT from tables DEV_TABLE1 and DEV_TABLE2 to verify user BOB has select
-- privileges.
SELECT * FROM john.dev_table1;
SELECT * FROM john.dev_table2;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO sample user john using john1234;
-- REVOKE the role DEVELOPMENT_ROLE from users JOE and BOB.
REVOKE ROLE development_role FROM USER joe, USER bob;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOE.
CONNECT TO sample USER joe USING joe1234;
-- The following two SELECT statements will fail. Users JOE cannot perform
-- SELECT on the tables DEV_TABLE1 and DEV_TABLE2 now. JOE has lost SELECT
-- privilege on these tables as role DEVELOPMENT_ROLE was revoked from him.
-- Error displayed for the following SELECT statement will be :
-- SQL0551N "JOE" does not have the privilege to perform. operation "SELECT"
-- on object "JOHN.DEV_TABLE1". SQLSTATE=42501
SELECT * FROM john.dev_table1;
!echo "Above error is expected !";
-- Error displayed for the following SELECT statement will be :
-- SQL0551N "JOE" does not have the privilege to perform. operation "SELECT"
-- on object "JOHN.DEV_TABLE2". SQLSTATE=42501
SELECT * FROM john.dev_table2;
!echo "Above error is expected !";
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user BOB
CONNECT TO sample USER bob USING bob1234;
-- The following two SELECT statements will fail as user BOB has lost SELECT
-- privilege on these tables as the role DEVELOPMENT_ROLE was revoked
-- from him.
-- Error displayed for the following SELECT statement will be :
-- SQL0551N "BOB" does not have the privilege to perform. operation "SELECT"
-- on object "JOHN.DEV_TABLE1". SQLSTATE=42501
SELECT * FROM john.dev_table1;
!echo "Above error is expected !";
-- Error displayed for the following SELECT statement will be :
-- SQL0551N "BOB" does not have the privilege to perform. operation "SELECT"
-- on object "JOHN.DEV_TABLE2". SQLSTATE=42501
SELECT * FROM john.dev_table2;
!echo "Above error is expected !";
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN.
CONNECT TO sample USER john USING john1234;
-- Grant role DEVELOPMENT_ROLE to new employee PAT.
-- Once this is done, PAT can SELECT from tables DEV_TABLE1
-- and DEV_TABLE2.
GRANT ROLE development_role TO USER pat;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user PAT.
CONNECT TO sample USER pat USING pat1234;
-- The following two SELECT statements will be successful.
SELECT * FROM john.dev_table1;
SELECT * FROM john.dev_table2;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO sample USER john USING john1234;
-- Drop the tables.
DROP TABLE dev_table1;
DROP TABLE dev_table2;
-- Drop the role. Only a user having SECADM authority can drop the role.
DROP ROLE development_role;
-- Disconnect from sample database.
CONNECT RESET;
2,用ROLE代替作業系統組
-- Connect to sample database using user JOHN.
CONNECT TO sample USER john USING john1234;
-- Create roles DEVELOPER, TESTER and SALES.
CREATE ROLE developer;
CREATE ROLE tester;
CREATE ROLE sales;
-- Grant role DEVELOPER to user BOB.
GRANT ROLE developer TO USER bob;
-- Grant role TESTER to users JOE and PAT.
GRANT ROLE tester TO USER joe, USER pat;
-- Grant role SALES to users JOE and BOB.
GRANT ROLE sales TO USER joe, USER bob;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user BOB.
CONNECT TO SAMPLE USER bob USING bob1234;
-- Create table TEMP1.
CREATE TABLE temp1 (a int);
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user mh(SYSADM)so that he can grant
-- ALTER privilege to role DEVELOPER. (DBADM can also grant ALTER privilege).
CONNECT TO SAMPLE USER mh USING mh1234;
-- Grant ALTER privilege on table TEMP1 to role DEVELOPER. mh(SYSADM)
-- (also DBADM) can grant the ALTER privilege on tables.
-- Once ALTER privilege is granted to role DEVELOPER, any user who
-- is part of role DEVELOPER can ALTER this table. So in this sample,
-- user BOB can perform. an alter operation on table TEMP1. Users belonging to
-- other roles cannot perform. alter operation on TEMP1 unless they have
-- privilege granted.
GRANT ALTER ON bob.temp1 TO ROLE developer;
CONNECT RESET;
-- The following statements show that a trigger TRG1 will be created
-- when user BOB holds the privilege through role DEVELOPER. But this is
-- not possible if user BOB is part of group DEVELOPER_G.
-- Connect to sample database using user BOB.
CONNECT TO SAMPLE USER bob using bob1234;
-- Create trigger TRG1. The following statements show that trigger TRG1 can
-- only be created by user BOB, as he holds the privilege through role
-- DEVELOPER. But this is not possible if user BOB holds the necessary
-- privileges through a group.
CREATE TRIGGER trg1 AFTER DELETE ON bob.temp1
FOR EACH STATEMENT MODE DB2SQL INSERT INTO bob.temp1 VALUES (1);
-- Drop the table TEMP1.
DROP TABLE bob.temp1;
-- Drop the trigger TRG1.
DROP trigger trg1;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john using john1234;
-- Drop the roles. Only a user with SECADM authority can drop the roles.
-- In this sample, user JOHN(SECADM) can only drop the roles.
DROP ROLE developer;
DROP ROLE tester;
DROP ROLE sales;
-- Disconnect from sample database.
CONNECT RESET;
3,替換資料庫物件屬主
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- Create role EMP_DEPT_ROLE.
CREATE ROLE emp_dept_role;
-- Disconnect from sample database.
CONNECT RESET;
-- User mh(SYSADM) grants SELECT privilege on tables TEMP_EMPLOYEE and TEMP_DEPARTMENT
-- to role EMP_DEPT_ROLE.
-- Connect to sample database using user mh.
CONNECT TO sample user mh using mh1234;
GRANT SELECT ON TABLE mh.temp_employee
TO ROLE emp_dept_role;
GRANT SELECT ON TABLE mh.temp_department
TO ROLE emp_dept_role;
-- Disconnect from sample database.
CONNECT RESET;
-- To transfer ownership of view EMP_DEPT(created below), BOB must hold SELECT
-- privilege on table TEMP_EMPLOYEE and table TEMP_DEPARTMENT.
-- Since role EMP_DEPT_ROLE has these privileges, role EMP_DEPT_ROLE
-- is granted to user BOB using the statement, below.
-- For the TRANSFER to work, new user JOE must also hold SELECT privilege on
-- the above two tables. Hence user JOHN(SECADM) grants SELECT privilege
-- to user JOE also.
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
GRANT ROLE emp_dept_role TO USER bob, USER joe;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user BOB.
CONNECT TO SAMPLE USER bob USING bob1234;
-- User BOB creates a view EMP_DEPT which depends upon tables
-- TEMP_EMPLOYEE and TEMP_DEPARTMENT.
-- Create view EMP_DEPT using tables TEMP_EMPLOYEE and TEMP_DEPARTMENT.
CREATE VIEW emp_dept AS SELECT * FROM mh.temp_employee, mh.temp_department;
-- Transfer view EMP_DEPT to user JOE from user BOB.
TRANSFER OWNERSHIP OF VIEW bob.emp_dept TO USER joe PRESERVE PRIVILEGES;
-- Connect to sample database using user JOE.
CONNECT TO SAMPLE USER joe using joe1234;
-- After the TANSFER is done,user BOB cannot drop the view. Only new user JOE,
-- who is current owner of the view, can drop it.
DROP VIEW bob.emp_dept;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john using john1234;
-- User JOHN(SECADM) drops the role.
DROP ROLE emp_dept_role;
-- Disconnect from sample database.
CONNECT RESET;
4,從ROLE中取消許可權
-- Connect to sample database using user JOE.
CONNECT TO SAMPLE USER joe USING joe1234;
-- Create table TEMP_TABLE.
CREATE TABLE temp_table (x int);
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- Create role DEVELOPER.
CREATE ROLE developer;
-- Grant role DEVELOPER to user BOB
GRANT ROLE developer TO USER bob;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user mh(SYSADM).
CONNECT TO SAMPLE USER mh using mh1234;
-- Grant SELECT and INSERT privileges on table TEMP_TABLE to PUBLIC and
-- to role DEVELOPER. Only a user with SYSADM or DBADM authority can grant
-- the privileges on the table.
-- In this sample, the user mh(SYSADM)can grant the SELECT and the INSERT
-- privileges on the table TEMP_TABLE to PUBLIC and to role DEVELOPER.
GRANT SELECT ON TABLE joe.temp_table TO PUBLIC;
GRANT INSERT ON TABLE joe.temp_table TO PUBLIC;
GRANT SELECT ON TABLE joe.temp_table
TO ROLE developer;
GRANT INSERT ON TABLE joe. temp_table
TO developer;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database uing user BOB.
CONNECT TO SAMPLE USER bob USING bob1234;
-- Create a view VIEW_TEMP on the table TEMP_TABLE.
CREATE VIEW view_temp
AS SELECT * FROM joe.temp_table;
-- Disconnect form. sample database.
CONNECT RESET;
-- Connect to sample database using user mh(SYSADM).
CONNECT TO SAMPLE USER mh using mh1234;
-- If SELECT privilege on table JOE.TEMP_TABLE is revoked from PUBLIC,
-- the view, BOB.VIEW_TEMP will still be accessible by users who are
-- part of the role DEVELOPER.
REVOKE SELECT ON joe.temp_table FROM PUBLIC;
-- Disconnect from sample database.
CONNECT RESET;
CONNECT TO sample USER bob USING bob1234;
select * from view_temp;
-- Connect to sample database using user mh(SYSADM).
CONNECT TO sample USER mh USING mh1234;
-- If SELECT privilege on table JOE.TEMP_TABLE is revoked from the role
-- DEVELOPER, user BOB will lose SELECT privilege on the table JOE.TEMP_TABLE
-- because required privileges are not held through either role DEVELOPER
-- or any other means.
REVOKE SELECT ON TABLE joe.temp_table FROM ROLE developer;
-- Disconnect from sample database.
CONNECT RESET;
CONNECT TO sample USER bob USING bob1234;
select * from view_temp;
-->SQL0727N 隱式系統操作型別 "3" 期間出錯。對該錯誤返回的資訊包括 SQLCODE
"-551"、SQLSTATE "42501" 和訊息標記 "BOB|SELECT|JOE.TEMP_TABLE"。
SQLSTATE=56098
-- Connect to sample database using user BOB.
CONNECT TO sample USER bob USING bob1234;
-- Drop a view VIEW_TEMP.
DROP VIEW bob.view_temp;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOE.
CONNECT TO SAMPLE USER joe USING joe1234;
-- Drop a table TEMP_TABLE.
DROP TABLE joe.temp_table;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- Drop a role DEVELOPER.
DROP ROLE developer;
-- Disconnect from sample database.
CONNECT RESET;
5,建立層級ROLE
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- Create roles MANAGER, TECH_LEAD and DEVELOPER.
CREATE ROLE manager;
CREATE ROLE tech_lead;
CREATE ROLE developer;
-- These two statements create a role hierarchy.
GRANT ROLE developer TO ROLE tech_lead;
GRANT ROLE tech_lead TO ROLE manager;
-- Drop roles MANAGER, TECH_LEAD and DEVELOPER.
DROP ROLE manager;
DROP ROLE tech_lead;
DROP ROLE developer;
-- Disconnect from sample database.
CONNECT RESET;
6,使用WITH ADMIN OPTIONS從授權ID授予/取消許可權
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- Create role DEVELOPER.
CREATE ROLE developer;
-- Grant role DEVELOPER to user JOE and give the WITH ADMIN privilege.
GRANT ROLE developer TO USER joe WITH ADMIN OPTION;
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOE.
CONNECT TO SAMPLE USER joe USING joe1234;
-- The following statements will be successful because user JOE has the
-- WITH ADMIN privileges on role DEVELOPER.
-- User JOE can GRANT and REVOKE ROLE to/from the other users.
GRANT ROLE developer TO USER bob;
REVOKE ROLE developer FROM USER bob;
-- The following statement will fail since user JOE doesn't have the privilege
-- to drop the role DEVELOPER. Only user JOHN(SECADM) is allowed to drop the
-- role.
-- Error displayed will be:
-- SQL0552N "JOE" does not have the privilege to perform. operation
-- "DROP ROLE". SQLSTATE=42502
DROP ROLE developer;
!echo "Above error is expected!";
-- The following statement will fail because user JOE cannot GRANT/REVOKE
-- the role DEVELOPER to another user by using the WITH ADMIN OPTION clause.
-- Only a SECADM can grant/revoke the WITH ADMIN OPTION.
-- Error displayed will be:
-- SQL0551N .JOE" does not have the privilege to perform. operation
-- "GRANT/REVOKE" on object "DEVELOPER". SQLSTATE=42501
GRANT ROLE DEVELOPER TO USER bob WITH ADMIN OPTION;
!echo "Above error is expected!";
REVOKE ADMIN OPTION FOR ROLE developer FROM USER bob;
!echo "Above error is expected!";
-- Disconnect from sample database.
CONNECT RESET;
-- Connect to sample database using user JOHN(SECADM).
CONNECT TO SAMPLE USER john USING john1234;
-- The following statement will be successful because user JOHN(SECADM)
-- is executing it.
-- With the command below, only ADMIN OPTION is revoked, role DEVELOPER is
-- still granted to user JOE.
REVOKE ADMIN OPTION FOR ROLE developer FROM USER joe;
CONNECT TO SAMPLE USER joe USING joe1234;
-- The following statements will be successful because user JOE has the
-- WITH ADMIN privileges on role DEVELOPER.
-- User JOE can GRANT and REVOKE ROLE to/from the other users.
GRANT ROLE developer TO USER bob;
-->SQL0551N "JOE" 不具有對物件 "DEVELOPER" 執行操作 "GRANT" 的必需許可權或特權。
SQLSTATE=42501
REVOKE ROLE developer FROM USER bob;
-->SQL0551N "JOE" 不具有對物件 "DEVELOPER" 執行操作 "GRANT" 的必需許可權或特權。
SQLSTATE=42501
CONNECT TO SAMPLE USER john USING john1234;
-- Revoke role DEVELOPER from user JOE.
REVOKE ROLE developer FROM USER joe;
-- Drop a role.
DROP ROLE developer;
-- Disconnect from sample database.
CONNECT RESET;
7,清理測試環境
CONNECT TO SAMPLE;
DROP TABLE mh.TEMP_EMPLOYEE;
DROP TABLE mh.TEMP_DEPARTMENT;
TERMINATE;
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/18922393/viewspace-702149/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- DB2_建庫DB2
- DB2_線上裝載資料DB2
- 資料庫安全之許可權與角色資料庫
- DB2_收集表統計資料DB2
- 資料庫管理員的角色是否已終結?資料庫
- DB2_建立備份恢復使用自動儲存的資料庫DB2資料庫
- Data Guard broker系列之五:資料庫角色轉換資料庫
- SQL Server 2008資料庫級別的角色SQLServer資料庫
- 查詢資料庫使用者角色和許可權檢視資料庫
- SQL Server 2008固定資料庫角色的許可權SQLServer資料庫
- 迴歸資料分析,資料運營的三種角色!
- DB2_安全DB2
- 關於SQL Server資料庫中的使用者許可權和角色管理SQLServer資料庫
- ORACLE DG之備庫角色Oracle
- 資料治理的人員角色職責 - corymaklin
- DB2_審計DB2
- snapshot standby快照備庫角色
- 【資料庫】mysql資料庫索引資料庫MySql索引
- DG中主庫與備庫角色的交換
- 基於使用者角色的資料庫智慧監控系統應用場景分析資料庫
- “使用者、組或角色'XXX'在當前資料庫中已存在”問題資料庫
- Greenplum資料庫,分散式資料庫,大資料資料庫分散式大資料
- 大資料圖資料庫之TAO資料庫大資料資料庫
- DB2_命令列工具DB2命令列
- DB2_自治事務DB2
- DB2_使用別名DB2
- DB2_行壓縮DB2
- 主流大資料系統在後臺的層次角色及資料流向大資料
- 資料庫PostrageSQL-管理資料庫資料庫SQL
- 資料庫映象和資料庫快照資料庫
- 【資料庫資料恢復】SAP資料庫資料恢復案例資料庫資料恢復
- 如何匯出11.2.0.4的某個資料庫使用者許可權及角色並快速複製到另一個同版本的資料庫資料庫
- Oracle Data Guard主庫備庫角色切換(Switchovers)Oracle
- 資料庫修改資料資料庫
- 資料庫資料整理資料庫
- 【資料庫資料恢復】MS SQL資料庫附加資料庫出錯怎麼恢復資料?資料庫資料恢復SQL
- 談談資料治理角色和職責:資料管理的關鍵參與者
- 資料湖 vs 倉庫 vs 資料庫資料庫