Skip to Main Content
IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Status Delivered
Workspace Db2
Components Federation Security
Created by Guest
Created on Jul 8, 2019

Nickname using session_user

Nicknames ignores the permissions of the session_user, they just check the permissions of the connect user.

 

In our Db2 Security System we connect with an CONNECT_USER to the database.
After an successfull Connection the connect user does an SET SESSION_USER with the real user id.
If this user id is not an active user in our security system this command raises an error and the application revokes the Access.
If the user is an active user in our security System the SET SESSION_USER Switches to the user id of the real user.

This works fine. Except for nicknames the don't chekc the permissions of the session_user, they just check the permissions of the connect_user.

Needed by Date Sep 15, 2019
  • Guest
    Reply
    |
    Apr 29, 2020

    Hello

    I want to make it more clear.
    You think that this is an enhancement for DB2.
    But it is not an enhancement, it is a bug. A real big bug.

    A lot of IBM managers and also IBM developers agreed to me that this is a bug.
    And untill now I thought that IBM is interested to fix bugs as soon as possible.
    But now I hear that it will be under future consideration.

    I think you realy should rethink this decision.

    If you have any aditional questions, don���t hesitate to contact me.

    Thanks in advance, and I hope to get an positive feedback on this mail.
    Manfred WAGNER
    Statistik Austria

    Von: IBM (Shruthi Subbaiah Machimada) [mailto:22e6f8ded7c51a6345005542-bigblue@iad-prod1.mailer.aha.io]
    Gesendet: Dienstag, 28. April 2020 19:46
    An: WAGNER Manfred
    Betreff: Nickname using session_user status has changed to Future Consideration

  • Guest
    Reply
    |
    Jul 16, 2019

    Hello Karthik

    Simple SELECT Statements do not work as expected.

    So if I connect to the database with an CONNECT-USER which have only the permission for CONNECT and SETSESSIONUSER and no other permission.
    After the SET SESSION_USER Statement to an so called SESSION-USER which has SELECT permission for an Nickname

    I get an Error-Message that the CONNECT-USER doesn't have the Permission to SELECT from the Nickname.

    The USER-MAPPING is set so I have an mapping between the SESSION-USER and the REMOTE-USER

     

    So the SESSION-USER has SELECT permission to the NICKNAME and there is a USER-MAPPING between SESSION-USER and REMOTE-USER and I still get the Error-Message that the CONNECT-USER doesn't have SELECT permission.

     

    If I give the CONNECT-USER the SELECT permission and create an USER-MAPPING to the REMOTE-USER then it works. This Shows me that the Nickname doesn't look for the permissions of the SESSION-USER it Looks just for the permissions of the CONNECT-USER

  • Guest
    Reply
    |
    Jul 15, 2019

    Hi Manfred,

    Thanks for your idea related to Db2 LUW.

    Could you please clarify which statement using nicknames that is not behaving as expected?

    Thanks,

    Karthik Gopalakrishnan

    Offering Manager, IBM Db2