db2中的securitylablelcomponentelements和securitylabels映射 [英] securitylablelcomponentelements and securitylabels mapping in db2

问题描述

DB2允许用户定义的LBAC安全策略。为了创建所需的标签和授权，我按照 here 。到现在为止还挺好。但是，检索这些政策是一个很大的麻烦。假设有人定义了这些策略，并没有保留其活动的备份。通过查看定义的组件和标签，似乎很难弄清楚做了什么。

我遇到的主要问题是：table syscat.securitylabelcomponentelements 保存一个定义的安全组件的元素的记录。 syscat.securitylabels 记录从这些组件元素创建的标签。我无法找到映射。有可能将一个组件元素命名为X，并将相应的标号命名为Y.存储的映射在哪里？那么锄头我知道标签Y来自元素X？

我找不到这个。有人可以帮我在这里吗？

请问，

Salil

解决方案

db2look 实用程序将提取所有LBAC组件的DDL，这应该很容易确定您要查找的结构。

  $ db2look -d sample -e 
 
  - 此CLP文件是使用DB2LOOK版本9.7创建的
  - 时间戳：2013年3月30日星期六11:21:34 MST 
  - 数据库名称：SAMPLE 
  - 数据库管理器版本：DB2 / LINUXX8664版本9.7.5 
  - 数据库代码页：1208 
  - 数据库整理顺序为：IDENTITY 
 
 
 CONNECT TO SAMPLE; 
 
 ------------------------------------------ ----------------- 
  -  DDL安全标签组件的声明ORG_DIVISIONS
 -------------- --------------------------------------------- 
 
 CREATE SECURITY LABEL COMPONENTORG_DIVISIONS
 TREE（'ORGANIZATION_ADMIN'ROOT，
'SALES'UNDER'ORGANIZATION_ADMIN'，
'RESEARCH'UNDER'ORGANIZATION_ADMIN'，
'制造商组织_ADMIN，
'MFM1'制造商'，
'MF_ENGG1'UNDER'MFM1'，
'RSM1'UNDER'RESEARCH'，
'RS_ENGG1' RSM1）; 
 
 ------------------------------------------ ---------------- 
  - 安全策略的DDL语句ORGANIZATION_POLICY
 ---------------- ------------------------------------------ 
 
 CREATE SECURITY POLICYORGANIZATION_POLICY
组件ORG_DIVISIONS
与DB2LBACRULES限制未授权的写保护标签; 
 
 
 ... 
  

DB2 allows user defined LBAC security policies. For creating the required labels and authorizations, I followed the steps provided here. So far so good. However, retrieving these policies is a big headache. Suppose, someone defined these policies and did not keep a backup of their activities. By looking at the defined components and labels, it seems to be quite hard to figure out what was done.

The main problem I am facing is this: table syscat.securitylabelcomponentelements keeps a record of the elements of the security components which one defined. syscat.securitylabels records the labels created from these component elements. I am unable to find the mapping though. It is possible that one named a component element as X, and named the corresponding label as Y. Where is the mapping stored? That is, hoe do I know that label Y is coming from element X?

I could not find this. Can someone please help me out here?

Regards,

Salil

解决方案

The db2look utility will extract the DDL for all of the LBAC components, which should make it pretty easy to determine the structure you are looking for.

$ db2look -d sample -e

-- This CLP file was created using DB2LOOK Version "9.7" 
-- Timestamp: Sat 30 Mar 2013 11:21:34 AM MST
-- Database Name: SAMPLE         
-- Database Manager Version: DB2/LINUXX8664 Version 9.7.5  
-- Database Codepage: 1208
-- Database Collating Sequence is: IDENTITY


CONNECT TO SAMPLE;

-----------------------------------------------------------
-- DDL Statements for Security Label Component "ORG_DIVISIONS"
-----------------------------------------------------------

CREATE SECURITY LABEL COMPONENT "ORG_DIVISIONS"
   TREE ('ORGANIZATION_ADMIN' ROOT,
     'SALES' UNDER 'ORGANIZATION_ADMIN',
     'RESEARCH' UNDER 'ORGANIZATION_ADMIN',
     'MANUFACTURING' UNDER 'ORGANIZATION_ADMIN',
     'MFM1' UNDER 'MANUFACTURING',
     'MF_ENGG1' UNDER 'MFM1',
     'RSM1' UNDER 'RESEARCH',
     'RS_ENGG1' UNDER 'RSM1');

----------------------------------------------------------
-- DDL Statements for Security Policy "ORGANIZATION_POLICY"
----------------------------------------------------------

CREATE SECURITY POLICY "ORGANIZATION_POLICY" 
   COMPONENTS "ORG_DIVISIONS"
   WITH DB2LBACRULES RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL;


...

这篇关于db2中的securitylablelcomponentelements和securitylabels映射的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！