Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Access Control
  9. Logs
  10. High Availability
  11. Server Control
  12. Performance Tuning
  13. Troubleshooting
  14. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

IBM Db2 Dynamic Data Masking Administrator Required Privileges

IBM Db2 Dynamic Data Masking Administrator Required Privileges

The Dynamic Data Masking administrator must have privileges to access sensitive tables and columns.
Use the IBM Db2 Control Center to create a privileged database user, <DDM Admin>, that corresponds to an administrator user on your operating system or a standard user on your operating system.
If <DDM Admin> corresponds to an administrator user on your operating system, you do not need to grant the user additional privileges.
If <DDM Admin> corresponds to a standard user on your operating system, the user must have SYSMON authorization or higher. If you use the encrypted password option, you must also run the following commands:
  • GRANT SELECT ON SYSIBMADM.SNAPAPPL_INFO TO <DDM Admin>
  • GRANT EXECTUE ON SYSPROC.SNAPAPPL_INFO_V9 TO <DDM Admin>
If you use the encrypted password option and an ODBC driver, <DDM Admin> must be able to access the SYSIBMADM.SNAPAPPL_INFO database table.

Additional Privilege for SELECT * Statements

If your Dynamic Data Masking security rules need to support column masking on SELECT * statements, you must run the following command:
GRANT SETSESSIONUSER ON PUBLIC TO <DDM Admin>
Alternatively, you can run the following commands:
  • GRANT SELECT ON <table being queried> TO <DDM Admin>
  • GRANT EXECUTE ON <user-defined function used in a PL/SQL action or stored program object> TO <DDM Admin>

0 COMMENTS

We’d like to hear from you!