I'm new to DB2 database. I installed DB2 Express-C on my local machine (Windows 10) to play with it, and I created a sample database.
If I understand correctly, DB2 uses Windows accounts for access to database. The installation created a db2admin user, but this one does not have access to the sample database. So my understanding is that my Windows account has access to this database.
So here is the problem. My company uses Azure Active Directory accounts, using Windows Hello to log in - that means, using a PIN to log in instead of a password (meaning my password does not work for login). However, if I want to connect to the database, I need to do this with my account's password. How can I do this? Do I need to create a local account on my machine instead of using Azure account?
If you are able to create a local-user on your workstation, and assign it a password, and ensure it is a member of local groups DB2USERS (and optionally) DB2ADMNS if those local-groups exist, that is likely to be the easiest option.
You may need to have Windows local-administrative rights to be able to perform those actions.
You can then connect to any local Db2-databases with that local-account and its password (regardless of how you sign-in to Windows).
If you allowed Db2-installation to create local user db2admin (and give it a password) then that local-account is also able to connect to local Db2-databases, including the SAMPLE database. So it's unclear why you write that db2admin account does not have access to SAMPLE database. As long as db2admin has a valid password then that account can connect to SAMPLE if all default settings are active.
Db2-LUW is able to integrate with Active-Directory provided pre-requisites are met and special configuration is performed, see documentation. But unless you have special security plugins for Db2, then any account that wants to connect to local Db2-databases will need a password. With special security plugins, other forms of authentication are possible.
Windows 10 Azure account login gives license to only one user to access windows account. If you login with db2admin in your windows you might lost azure account I am facing such issues.
Better to communicate with IT team of your company and ask to provide DB2ADMN right to your Azure login user. DB2 install properly but not able to create database permission/authorization issue coming.
Related
In our organization, we are having common credentials to access the postgres databases, which every developers know, as it is hardcoded in application's connection string. Due to which, whenever a DML/DDL changes happens on databases, it is hard for us trace, as the developers use to make changes on their own. We can't have individual logins for each developers which is tedious to manage.
Note: Also, we can't ensure that the credentials won't be shared with the peer developers.
To get rid of this, we thought of integrating Postgres with Azure Active Directory, for Authentication.
If we can map Azure AD group/users to Postgres, security will be tightened as well as maintenance overhead will also reduce.
But, I couldn't find a article to implement this, since most of the articles says the integration for Azure managed postgresql with Azure AD, and not for the postgres running on VMs.
Can anyone guide me or share a detailed article to implement the Azure AD integration for Postgres running on a VM(IaaS)
In Azure portal go to the postgresql database select Authentication and set active directory admin.
You can specify an Azure AD group instead of an individual user to have multiple administrators.
Connecting to postgresql :
1.Login to Azure subscription.
2.Get the access token of the postgresql serverusing below command:
az account get-access-token --resource https://ossrdbms-aad.database.windows.net
3.Use that token as password for login with postgresql server.
Creating user
CREATE USER "user1#yourtenant.onmicrosoft.com" IN ROLE azure_ad_user;
Token validation:
Token is signed by Azure AD and has not been tampered with
Token was issued by Azure AD for the tenant associated with the server
Token has not expired
Token is for the Azure Database for PostgreSQL resource (and not another Azure resource)
Reference Link: Use Azure Active Directory - Azure Database for PostgreSQL - Single Server | Microsoft Learn
Using Azure Active Directory is a great idea for the reasons you specified, but unfortunately there's no native support for connection to Azure Active Directory with a local Postgres database (which is essentially what you have with Postgres in a VM). It can be done through the LDAP protocol, however.
FULL DISCLOSURE: I haven't actually done this part myself (or used the steps in the tutorial link), but this is my understanding from working with system operators. Use LDAP to connect to Azure AD then Postgres to connect via LDAP. More information on LDAP authentication in Postgres can be found here.
Bhavani's answer is about Azure Database for PostgreSQL, which is a Azure-native database service. This part I have used and I highly recommend it; you get Azure AD integration and can manage the database performance and connectivity specifically without having to also manage VM performance. Note that their screenshot is for the Flexible Server while the reference link says 'Single Server'; I recommend Flexible Server.
I have data held in an Azure Data Lake Gen 2 storage container. I would like to provision this data for an existing report authored in Crystal Reports using SQL on demand.
During development I used my own Azure AD login via an ODBC connection on my local machine. I have access to the Synapse environment and also the data lake. This worked successfully and although slow, pulled all information required.
To deploy this solution correctly I need to remove my AAD creds and use a provisioned service principle. I have given the service principle to read from the data lake and also added the principle to the SQL database. Now I am stuck on how to use the principle to connect to Crystal Reports.
I have tried the same authentication type as with my AAD but now I am using a clientID not a email. So when the system prompts for connection details it wants you to sign in and does not accept the clientID.
Does anyone have any suggestions on how to connect to Crystal Reports using this way or any other way?
Also: My org does not want this user or app reg to have restricted permissions so therefore adding them to the RBAC "synapse admin" wont work.
Thanks
Tom
Found a way around this.
Create a service account user on Azure Portal. Head to Synapse Analytics and open blank SQL script to give the user minimal permissions.
*USE [master]*
CREATE LOGIN [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
GRANT CONNECT ANY DATABASE TO [serviceaccountsynapseuser#company.onmicrosoft.com]
GRANT SELECT ALL USER SECURABLES TO [serviceaccountsynapseuser#company.onmicrosoft.com]
*USE [Reporting] (Serverless SQL DB)*
CREATE USER [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [serviceaccountsynapseuser#company.onmicrosoft.com]
Finally head to the storage account and give the user storage blob reader role.
I need to create a db2 user account. Any idea how to create a system user account in db2 database installed in Windows OS.
Based on the knowledge from googling, I believe - it needs to create a OS user. Do we have the steps to make this windows OS user to a valid db2 user account?
I have existing user id in this machine, which i used to install the db2 database. Can I make this user as a db2 system user? If so what are the steps.
There are no users in DB2 that are not OS users. The client software makes this a bit confusing: what they show as "users" are actually grants given to the (externally defined) users.
you can grant privileges to arbitrary users or groups, and no verification is done if those users and groups exist at that time.
However, to connect to the database and exercise the granted privileges you must authenticate first, and for that you must have the user defined in the OS (or another configured authentication service, such as an LDAP directory).
All versions of Db2-server rely on the underlying operating system, or LDAP to authenticate users. Db2-server has no concept of 'internal' users.
You can use your own account, or any Windows-account to administer Db2-Server on Windows. That might be what you mean by a "system user account", but Db2 does not use that terminology of "system user". Instead Db2-server on Windows understands a user with DBADM rights, or SECADM rights, or a user who is a member of SYSADM_GROUP. These are well explained in the documentation.
If you accepted the defaults when installing Db2-server on Windows, then there will be two local groups created by the installation, called DB2USERS and DB2ADMNS. (You don't have to use these local groups, any groups will suffice, as long as you tell Db2 about them).
You can add your own account (or any other Windows accounts) to the local group DB2ADMNS (or to the group that is the SYSADM_GROUP), using Windows GUIs or command-line commands. The users can also be domain-users.
You should then configure the Db2-server instance configuration item SYSADM_GROUP with the value DB2ADMNS. You can do this via the command line (db2cwadmin.bat > db2 update dbm cfg using SYSADM_GROUP db2admns ). This then allows Db2-server to know that anyone who is a member of that group can have SYSADM rights on the Db2-server instance.
Hi I am new to SAP Business Object Central Management Console and trying to schedule a crystal report. For this I made an ODBC connection to a database(NCBODS) in the Server machine using windows authentication. I also gave same windows credentials in CMC as shown in below image. But It gives me an error saying
Error Message:
Error in File C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Data\procSched\SDDVCTRTRCH11.reportjobserver\~tmp5448125TH7b9b16.rpt: Unable to connect: incorrect log on parameters. Details: [Database Vendor Code: 18456 ]
I have given the same windows credentials that I use to connect to the app server. Still I am getting "incorrect log on parameters"
But when I use a SQL Authenticated Login in the ODBC connection and also use the same SQL Login credentials in CMC it works fine.
So the problem here is when I use the windows credentials it throws error but works fine when SQL credentials are used. Is there any way I can use windows credentials in CMC?? I really appreciate if any one can help me on this
If you create an ODBC DSN with authentication set to trusted connection (Windows authentication), be aware that a different account will be used when creating the DSN and when using it in BusinessObjects:
When creating the connection: the DSN is created using the credentials you're logged on with (i.e. your Windows AD user account)
When running a report: the connection to the database is initiated through BusinessObjects, thus the account which BusinessObjects is running with, will be used to connect to the database.
In other words, you need to make sure that following requirements are met:
Your SIA (Server Intelligence Agent) which runs your CMS, Crystal Reports servers, etc must be configured to run with an Active Directory service account. By default, it runs with the Local System Account, which will not be able to log on to your database (as it's a local account, it's not even able to access network resources).
You need to grant the service account you used to configure the SIA in step 1 the necessary rights to your database.
Remarks:
If you're using AD SSO, you cannot schedule the report so that it uses the Active Directory credentials of a certain user (because BOBJ doesn't store these credentials, it only verifies them at logon).
If you're not using AD SSO, but are authenticating users to the BusinessObjects platform (InfoView) with manual AD authentication, you can set the option Synchronization of Credentials. This forces BOBJ to store the AD credentials when the user authenticates.
The credentials are stored in the user profile (Database Credentials).
On IBM DB2 v.9 windows, when someone connect to database by Server\Administrator user
DB2 database will automatically accept and grant all the permissions to this user?
But, in some case environment Administrator of server does not need to see every data in the database. So how to prevent Administrator use connect to database?
On 9.5 and older this would not be possible because the account under which your instance runs is SYSADM. Also Administrator can reset at least local account passwords and gain access to them, making changing the instance owner account useless.
However on 9.7 and onwards the instance owner will not have access to the data anymore. One option is to upgrade to 9.7. Furthermore you can set up an AD account for the connections your applications use. Local Administrator is not necessarily able to change into those credentials.
Still, the Administrator ultimately has access to the (usually unencrypted) database files. You can mostly improve the administrative aspect of security.
Umm... For many times I try to revoke with this command but when I connect to database by Administrator account DB2 will automatic grant permission to Administrator again.
I will try again for make sure.
By default, DB2 databases are created with CONNECT authority granted to public. If you want to restrict some users from connecting, you need to do
GRANT CONNECT ON DATABASE TO <user1>, <user2>, ...
Then revoke the CONNECT authority from PUBLIC
REVOKE CONNECT ON DATABASE FROM PUBLIC
I don't think it's possible under normal circumstances simply because Administrator is in the sysadm group.
Options I can think of (but haven't tried) include:
Setting the sysadm group to something else ("db2 update dbm cfg using sysadm_group blah"). Check the docs for caveats and gotchas when doing this, as I'm sure there are some.
Stop using OS authentication. Use a different security plugin (8.2 and higher only). This would move the authentication, and thus groups, to a new location (say an LDAP server). Then you just don't add Administrator to the new location, and especially don't add Administrator to the sysadm group again.
On Windows, the database manager configuration parameter SYSADM_GROUP controls who has SYSADMauthority at the instance level. When SYSADM_GROUP is blank (as is the default on Windows), then DB2 defaults to using the Administrators group on the local machine.
To fix this, you can create a new group in Windows and then modify the value of SYSADM_GROUP to use this new group. Make sure that the ID that the DB2 Service runs under belongs to this new group. After making this change, members of the Administrators group will no longer have SYSADM authority.
As Kevin Beck states, you may also want to look at restricting CONNECT authority on databases, too, because by default the CONNECT privilege is granted to PUBLIC.