• Personal tools
  • Log in
• • Main Page
• documentation
  • RPG-XML Suite
  • Krengel Ship for UPS
  • DB2 Web Service Enabler
  • All Products
• Toolbox
  • What links here
  • Related changes
  • Special pages

DB2WSE Authority Models

From Wiki

User Guide

DB2WSE can use either of two separate authority models to determine the authority of a user to access a table. They are known as the System Authority Model (SAM) and the DB2WSE Authority Model (DAM). The authority model which is used is controlled by the USE_SYSTEM_AUTHORITY configuration value in table DB2WSECFG.

System Authority Model (SAM)

If DB2WSE is using SAM, a DB2WSE request must include a valid IBM i (AS/400, iSeries, System i) user name and password. DB2WSE will use system API's to validate the user name and password and check the authority of the user profile to the table. DB2WSE will run under that user profile while the request is being processed. DB2WSE profiles and authorities are not used for the request.

DB2WSE Authority Model (DAM)

If DB2WSE is using DAM, a DB2WSE request must include a user name and password that have previously been created with the CRTDWEPRF command. The authority of the profile to access the table is controlled by the authority previously created for the profile using the CRTDWEAUT command. DB2WSE will run under the QSYS user profile. The user name and password do not have to be a valid IBM i user profile. If the DEFAULT_PROFILE_ID configuration value is set to a value other than 0, then no user name/password need to be passed to DB2WSE, but the default profile will be used when checking table authorities.

Differences between DB2WSE Authority Models

Using SAM is easier to set up than using DAM, since there is no need to create DB2WSE profiles and authorities. However, each request will include a clear text user profile and password, so should not be saved for repeated use. Additionally, unless HTTPS is being used to communicate between the client and the IBM i, the user profile and password will be sent unencrypted from the client to the IBM i. SAM works well in an environment where DB2WSE will be used to make ad-hoc queries and where the users already have specific authority created for them on the IBM i.

By contrast, if DAM is used, a finer control can be gained over the specific types of table access (read, update, write and delete) which are allowed for each user. Additionally, DB2WSE profiles can be created which have limited access to only a few tables, allowing them to be stored with the request and limiting the problems that could occur if they are discovered by unauthorized persons. If the DEFAULT_PROFILE_ID value is also used, then queries can be created which do not need to pass a user name and password at all.