Database isolation
The applications connected to a database require an isolated view of the database in the DBS environment.
-
Metadata isolation
-
User isolation
-
Resource isolation
import
, and
mxtool
are supported only for the SUPER.SUPER user in DBS environment.
Shared databases
-
Users of a shared database can grant DML privileges on objects or schemas to users of other databases.
-
Users of other databases can perform DML operations on objects in the shared database only after they are granted access privileges.
-
Users of other databases cannot perform DDL operations in their own database referring to objects in shared database, even if they hold DML access privileges on objects in the shared database.
Metadata isolation
-
DB_USERS
Users associated with the database and their association with the database privilege groups.
-
DB_PRIVILEGE_GROUPS
Privilege groups associated with the database.
-
DB_CPUS
CPUs associated with the database.
-
DB_DS
MXCS datasources associated with the database.
-
DB_STORAGE
Storage volumes assigned to the database.
-
DB_SCHEMAS
Schemas in the database.
-
SQLColumns
-
SQLPrimaryKeys
-
SQLStatistics
-
SQLForeignKeys
-
SQLTablePrivileges
-
SQLProcedureColumns
-
SQLGetTypeInfo
-
SQLSpecialColumns
-
SQLTables
-
SQLColumnPrivileges
-
SQLProcedure
User isolation
Database users
Database users are users with External Usernames and are associated with one or more databases in DBS environment. The DBS environment must be configured with Guardian groups, with each group containing 250 users. External Usernames created using DBS commands are associated with the Guardian users that are pre-created for DBS environment. The DBS features ensure that only those users that are associated with the database can establish connection to that database through ODBC/MX or JDBC/MX Type 4 interfaces.
Grantee in GRANT/REVOKE statements
-
A Guardian username or a Guardian privilege group cannot be specified as a grantee in the GRANT and REVOKE statements.
-
The users of a shared database can specify users or privilege groups of other database as grantee.
-
DB_PUBLIC, which is a substitute for current and future users associated with the database, can be a grantee. When DB_PUBLIC is used as grantee, the GRANT operation is equivalent to granting privileges to the implicit privilege group for all users of the database.
-
The users of a shared database can specify PUBLIC as a grantee.
-
When a database is shared, a user or a privilege group of other databases can be specified as a grantee and they can be granted only DML privileges.
Resource isolation
When a database is created, a set of data volumes is assigned to the database. Applications connected to a database can use the data volumes associated with the database in the DDL statements and SQL utility commands. The DBS resource isolation ensures that an application accessing a database can use only those volumes associated with the database. The default POS_NUM_OF_PARTNS is the number of data volumes associated with the database. The POS_LOCATIONS CQD is set to data volumes associated with the database. Applications accessing the database cannot modify these values. However, the applications can explicitly specify the partition specification attributes at the time of creating a table or an index. Data volumes that are not associated with the database cannot be used in DDL or syntax-based utility operations such as MODIFY.
Database connections
Applications can access a database only through ODBC/MX and JDBC T4 interfaces.
-
CATALOG
property in the connection string of the SQLDriverConnect API -
Catalog
option when creating a ODBC/MX client datasource
To connect to a database from JDBC applications, set the
serverDataSource
driver property to the datasource name associated with the database at connection time. If the
CATALOG
property is set, it must be set to the database catalog name. This property setting overrides the
serverDataSource
setting.
Access to the database
Applications accessing a database can execute DDL and DML statements, and syntax-based utility operations such as MODIFY, DUP, FASTCOPY and so on.
MXCS first authorizes and then authenticates the user accessing the database. At the connection time, MXCS first performs user authorization check to validate whether the user is associated with the database. Once authorization is successful, MXCS authenticates the user with the credentials supplied at connection time. Only when both authorization and authentication is successful, a connection is established with the database.
Users of a database cannot connect to a shared database. However, users can access objects in a shared database provided they have access privileges on the objects.
Statement and command access
A user of a database has an access level for that database: READ, WRITE, CREATE, or no access. This access level is assigned when the user is associated with the database, and can be upgraded or downgraded. The access level determines what the user can do with the database.
-
Users with CREATE access level on a database can execute DDL statements on that database.
-
Users who are not associated with a database cannot execute DDL statements on that database.
-
Users with READ, WRITE, or no access level on a database cannot execute DDL statements on that database.
-
User with CREATE access level on a database can create objects in the schemas of other users in that database. Such objects are created with the ownership of schema owner.
-
User with CREATE access level on a database can create schemas in that database.
-
Users with READ, WRITE, or CREATE access level in the database have corresponding DML access to the objects in the database. READ implies SELECT, EXECUTE, and USAGE privilege, WRITE additionally implies INSERT, UPDATE, and DELETE privilege. CREATE additionally implies ALL_DDL privileges.
-
Users who are not associated with the database have DML access to the objects in the shared databases, provided they have been granted access privileges on the objects.
-
Users with no access level in the database do not have DML access on the objects in the database. However, users with CREATE access level in the database can grant DML privileges to such users allowing access on specific objects.
For syntax-based utility commands:
-
Applications accessing the database can execute syntax-based utility commands. Each utility command requires specific DDL/DML privileges. Users executing the syntax-based utility commands must hold the privileges to execute the commands successfully. For information on individual syntax-based utilities, see the SQL/MX 3.5 Release Technical Update.
-
Users of other databases cannot execute syntax-based utility commands on the shared databases.
Restricted SQL Statements
The following statements are not available for applications accessing databases in DBS environment:
-
CREATE CATALOG
-
DROP CATALOG
-
GRANT CREATE CATALOG
-
INITIALIZE SQL
-
REVOKE CREATE CATALOG
-
REGISTER CATALOG
-
UNREGISTER CATALOG
-
UPGRADE/DOWNGRADE
-
GET NAMES OF RELATED CATALOGS
-
DROP SQL
-
GIVE
-
SET NAMETYPE