IBM Data and AI Ideas Portal for Customers


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The product management team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.

Additional Information

To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps

Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases

IBM Employees:

The correct URL for entering your ideas is: https://hybridcloudunit-internal.ideas.aha.io


Status Delivered
Workspace Db2
Components Federation Security
Created by Guest
Created on Jul 8, 2019

Nickname using session_user

Nicknames ignores the permissions of the session_user, they just check the permissions of the connect user.

 

In our Db2 Security System we connect with an CONNECT_USER to the database.
After an successfull Connection the connect user does an SET SESSION_USER with the real user id.
If this user id is not an active user in our security system this command raises an error and the application revokes the Access.
If the user is an active user in our security System the SET SESSION_USER Switches to the user id of the real user.

This works fine. Except for nicknames the don't chekc the permissions of the session_user, they just check the permissions of the connect_user.

Needed by Date Sep 15, 2019
  • Guest
    Apr 29, 2020

    Hello

    I want to make it more clear.
    You think that this is an enhancement for DB2.
    But it is not an enhancement, it is a bug. A real big bug.

    A lot of IBM managers and also IBM developers agreed to me that this is a bug.
    And untill now I thought that IBM is interested to fix bugs as soon as possible.
    But now I hear that it will be under future consideration.

    I think you realy should rethink this decision.

    If you have any aditional questions, don���t hesitate to contact me.

    Thanks in advance, and I hope to get an positive feedback on this mail.
    Manfred WAGNER
    Statistik Austria

    Von: IBM (Shruthi Subbaiah Machimada) [mailto:22e6f8ded7c51a6345005542-bigblue@iad-prod1.mailer.aha.io]
    Gesendet: Dienstag, 28. April 2020 19:46
    An: WAGNER Manfred
    Betreff: Nickname using session_user status has changed to Future Consideration

  • Guest
    Jul 16, 2019

    Hello Karthik

    Simple SELECT Statements do not work as expected.

    So if I connect to the database with an CONNECT-USER which have only the permission for CONNECT and SETSESSIONUSER and no other permission.
    After the SET SESSION_USER Statement to an so called SESSION-USER which has SELECT permission for an Nickname

    I get an Error-Message that the CONNECT-USER doesn't have the Permission to SELECT from the Nickname.

    The USER-MAPPING is set so I have an mapping between the SESSION-USER and the REMOTE-USER

     

    So the SESSION-USER has SELECT permission to the NICKNAME and there is a USER-MAPPING between SESSION-USER and REMOTE-USER and I still get the Error-Message that the CONNECT-USER doesn't have SELECT permission.

     

    If I give the CONNECT-USER the SELECT permission and create an USER-MAPPING to the REMOTE-USER then it works. This Shows me that the Nickname doesn't look for the permissions of the SESSION-USER it Looks just for the permissions of the CONNECT-USER

  • Guest
    Jul 15, 2019

    Hi Manfred,

    Thanks for your idea related to Db2 LUW.

    Could you please clarify which statement using nicknames that is not behaving as expected?

    Thanks,

    Karthik Gopalakrishnan

    Offering Manager, IBM Db2