Informix

 View Only
  • 1.  How to set up DBSA role or equivalent

    Posted Wed July 03, 2024 02:07 PM

    Dear All,

    Informix 14 on Hp-Unix

    Need to restrict the usage of "INFORMIX" user Id by DBA's. Is DBSA role a good option and can someone help me with how to use it. I checked the documentation but could not figure out myself. 

    Regards,

    Vikas H



    ------------------------------
    Vikas H
    ------------------------------


  • 2.  RE: How to set up DBSA role or equivalent

    IBM Champion
    Posted Wed July 03, 2024 02:36 PM

    Vikas:

    The DBSA role is used to allow other user ids to do whatever user "informix" can do. 

    What is it you want to accomplish?

    Art



    ------------------------------
    Art S. Kagel, President and Principal Consultant
    ASK Database Management Corp.
    www.askdbmgt.com
    ------------------------------



  • 3.  RE: How to set up DBSA role or equivalent

    Posted Thu July 04, 2024 02:10 AM
    Dear Art,

    The current setup allows informix id to have unlimited access to the data. I want to revoke the informix access from the dba and give him only administrative access such that he can perform all the administrative tasks but cannot access any data using dbaccess. 

    The documentation suggests that I have to use one of onconfig parameter and mention the dba's user id against it and add that id to informix group (so I don't need to change oninit permissions). 

    Not sure if the dba's id in informix group and with dbsa role will still get the access to data in tables and will it be safe to start the instance with the dba's id and not with informix?

    Regards,
    Vikas Hivarkar 





  • 4.  RE: How to set up DBSA role or equivalent

    IBM Champion
    Posted Thu July 04, 2024 07:14 AM

    Vikas:

    OK, so to be clear, you do not want your DBAs to be able to become user "informix" so that they cannot query user databases, but you do want them to be able to start and stop the instance(s), run all onstat and other DBA utilities (ex: oncheck, onbar, ontape, onparams, onspaces, archecker, onpsm, etc.). Correct? 

    So, just add those user ids to group "informix" in the OS (assuming UNIX/Linux OS) and revoke connect permissions from those user ids and from the pseudo-user "public" on all user databases. That should do it. If you want to be paranoid you can also explicitly revoke any existing permissions from those ids and from "public" on every table in each user database.

    Note that the downside of this is that your DBAs will not be able to alter tables or indexes, create new tables and indexes, grant privileges to new users in those databases, etc. unless you grant them DBA privileges and if you do that, then any DBA who has evil intent can just grant privileges to themselves to access the data anyway.

    Honestly, I do not know of any site that does not allow DBAs to become "informix", at least by using sudo su ... Sites that are than protective of their data just turn auditing on instead so their security folk can see who has done what.

    Art



    ------------------------------
    Art S. Kagel, President and Principal Consultant
    ASK Database Management Corp.
    www.askdbmgt.com
    ------------------------------



  • 5.  RE: How to set up DBSA role or equivalent

    Posted Mon July 08, 2024 01:10 AM
    Thank you very much Art, You are the best!

    Yes, the compliance requirements need the informix access to revoked from the DBA's.

    I am going ahead with your suggestion in my test region with assumption that with the user id in informix group and dbsa role will be able to perform all the administrative tasks.

    Regards,
    Vikas Hivarkar

    You

    On Thu, 4 Jul 2024 at 11:40 AM, vicky h <vikas.hivarkar@gmail.com> wrote:
    Dear Art,

    The current setup allows informix id to have unlimited access to the data. I want to revoke the informix access from the dba and give him only administrative access such that he can perform all the administrative tasks but cannot access any data using dbaccess. 

    The documentation suggests that I have to use one of onconfig parameter and mention the dba's user id against it and add that id to informix group (so I don't need to change oninit permissions). 

    Not sure if the dba's id in informix group and with dbsa role will still get the access to data in tables and will it be safe to start the instance with the dba's id and not with informix?

    Regards,
    Vikas Hivarkar