Restrict user IDs to specific servers

[Arun Srini]

We have group of server IDs, and group of user IDs. We are trying to find the best way to restrict the server IDs(generic - like db2adm) to connect to the database only from that server and not from any user client(ID mismanagement).

One idea is to construct workload and disable them (using User ID/application name combination - like db2admin/toad.exe)

But since we don't have a list of allowed/disallowed 'database clients', it would not be all-encompassing. Also, since we have around 1000 users, creating workloads with address+System_user combination is also out of the window. The best bet is to create workload for each server ID+address combo, and in the end disable the sysdefaultworkload - alltogether. Not everyone is buying this idea as it seems too restrictive.

Is there any way at all to achieve what we are trying here - restrict an ID to set of addresses?

[bwmil...@gmail.com]

Arun -

You might try looking at this great article by Serge...

https://www.ibm.com/developerworks/community/blogs/SQLTips4DB2LUW/entry/logon_triggers_in_db2_kind_of136?lang=en

-B

[Ian]

On Friday, May 10, 2013 6:26:29 AM UTC-7, bwmil...@gmail.com wrote:

> You might try looking at this great article by Serge...
>
https://www.ibm.com/developerworks/community/blogs/SQLTips4DB2LUW/entry/logon_triggers_in_db2_kind_of136?lang=en
>

Right on. There was actually an article posted on dW just a few days ago that uses the CONNECT_PROC to do exactly what Arun is asking for:

http://www.ibm.com/developerworks/data/library/techarticle/dm-1305db2access/

[Arun Srini]

Yup. I've tested in some servers that has 9.7.5, but still blank on what to do in case of old servers. WLM would be the band-aid solution for now.
Thanks both for pointing me to the right direction.

Thanks
Arun