Security for DB2NSF deals with security in Notes/Domino as
well as in DB2. There are security considerations that must be made
for being able to move databases from Domino to DB2, and also for users
to utilize databases that are DB2NSF enabled that you would not have if
you were not using DB2NSF.
Security for DB2NSF enabled databases is more robust than
just normal NSF security. For example, when you have a normal NSF database,
the security that you have at your disposal is the ACL of the database,
and possibly readers fields. Once a database is moved to DB2NSF, all of
the NSF securities remain in place, but then other things are added as
well. This includes user names for all users that are to use query views.
You can view the level of access that a particular username has to
a DB2 database by opening the DB2 control center, right clicking on the
database and clicking Authorities:
There are some issues that you can run into when trying
to create the DB2 database for the first time, or when using query views
that relate to your DB2 admin account not having the SECADM priveldge.
You can add this priveldge by dropping down the SECADM menu in the
bottom right corner of the screenshot above and selecting "Yes".
If you are using individual DB2 accounts for each user, each DB2
account will need to be in this authorities list with the correct access.
You can also use a default query view user to help simplify things.
Another security thing to be aware of is that in the install/config
notes it states that you must give the OS group you created for DB2 access
(i.e. DB2DOM) SYSCTRL access by adding this group to the SYSCTRL_GROUP
in the dbm cfg. What it does not tell you is that you also need to
give this group SYSADM access by adding the group to the SYSADM_GROUP in
the dbm cfg.
You can add the OS group to the SYSADM_GROUP by typing
the following command at the DB2CLP:
update dbm cfg using SYSADM_GROUP DB2DOM
When accessing a DAV through DB2 (i.e. control center),
a reverse lookup is performed on the database ACL that the DAV resides
in to make sure that the OS account that you are using to access the data
(through DB2 control center) has the correct rights to do so. An
example would be if you are logged onto the OS and using DB2 control center
under the user name db2admin. To access data in a DAV in a DB2 enabled
notes database, a users person document must specify db2admin as its associated
DB2 Account Name. The reverse lookup will find the person document
that contains db2admin as its DB2 Account Name and use the person's name
who's person document it finds when looking at the database ACL. For
example, if it found in John Doe/Acme's person document the DB2 Account
Name db2admin, it would associate John Doe/Acme with db2admin. Then
when looking at the database ACL, it would verify John Doe/Acme has the
appropriate rights to the data that db2admin is attempting to access through
DB2 control center.