Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read

End of Support Dates
IDS 11.10 - 30 Sep 2012
Subscribe to notifications

IIUG on Facebook IIUG on Twitter

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum

Re: Roles X remote database

Posted By: Fernando Nunes
Date: Thursday, 29 November 2012, at 7:35 p.m.

In Response To: Re: Roles X remote database (Cesar Inacio Martins)

Cutting the story short... I'd vote for some kind of "I'm the only DBA
around, let Informix trust me" kind of configuration.
With this in mind, I'd like to have:

- Roles at the instance level (at least)
- Roles across instances
- Cross database/instances operations inside a trusted context

Problem is the usual... I can't put a business case around this and R&D
priorities don't seem to go my way :)

Regarding 11.70.FC6. Great...Although strange...
Regards.

On Fri, Nov 30, 2012 at 12:25 AM, Cesar Inacio Martins <
cesar_inacio_martins@yahoo.com.br> wrote:

> Hi Fernando,
>
> So, I agree (partially) and I understand all this "paranoic" with
> security , however looking from other point we are working here over a
> unique environment where the DBA team are responsible for all databases
> and already have a "controlled" environment over other layers
> (SO/servers). So , the security is already applied over "who access
> what"....
> This way , your theory about the "bad" DBA should not be considered...
> if the case... we already all f***** because they already have grant to
> all.
> (just a note, isn't my case OK... I'm a very good, responsible and nice
> DBA :)
>
> I don't agree the IBM Informix impose security rules over business rules
> to any company what choose work with Informix... if someone mess
> something or do a poor configuration this isn't fault of Informix.
> Off course , the security should be relative strong over as default
> installation (let's default values over say onconfig.std) ,but with
> option to us apply that what make sense for our environment. Just like
> today , we aren't forced to use "role separation" when we install and
> configure Informix !
>
> Develop procedures to execute the updates will make close of unfeasible
> the development process today. We need create facilities (with
> responsibility) instead of include more overhead and steps to our
> developers and DBAs.
> ....and create a new point of failure to our system....
>
> Well... I will open a PMR asking for this as new feature...
>
> I don't know why , when I sent this , I already imagine a answer from
> you incoming....:)
>
> Changing the subject... This week I update our DW test environment with
> engine to 11.70 FC6 and we execute partially our batch of tests with
> Pentaho... all works!! :)
> No syntax error, no AFs .... now the problem is the pentaho.... :S
>
> Regards
> Cesar
>
> On 29/11/2012 21:12, Fernando Nunes wrote:
> > On Wed, Nov 28, 2012 at 7:34 PM, Cesar Inacio Martins <
> > cesar_inacio_martins@yahoo.com.br> wrote:
> >
> >> Hi ,
> >>
> >> Ifx 11.50 FC9X6 , AIX 6.1
> >>
> >> We have two databasesatour system, where we work using ROLEs to manage
> >> the users .
> >> Today we have a security problem , which is caused by an IBM Security
> >> reason (looks like a Paradox...)
> >>
> > Nice topic...
> >
> >> The problem :
> >> We have the user X , databases A, B and the roles "role_full" and
> >> "role_read" (into both databases).
> >> where :
> >> - Role_full : grant of select,update,insert,delete over all tables.
> >>
> >> - Role_read :grant of selectover all tables.
> >>
> >> The user X have grant for both roles into both databases and:
> >> grant default rolerole_full into database A
> >> grant default rolerole_read into database B
> >>
> >> If they connect into database A and tryexecute an "update B:table_xyz" ,
> >> got "don't have permission".
> >> This is appear working as design , check IBM documentation :
> >>
> >>
> >>
> >
>
> http://publib.boulder.ibm.com/infocenter/idshelp/v117/topic/com.ibm.ddi.doc/ids_ddi_051.htm
> >> .
> >>
> >>
> > It is.
> >
> >> Our problem is :
> >> - Any access with user X over the database B should be "read only" ,
> >> except if they working with role_full.
> >> - Our system was design to user X use the role_full only when connect
> >> over database A.
> >> - To able user X update few tables of database B, we need to give
> >> explicit permissions to user, making useless the roles set as defaul
> >> (role_read).
> >>
> >> Anyone imagine some workaround for this situation?
> >>
> > See the end...
> >
> >> There is some "underground" parameter to enable active roles"migrate" to
> >> remote databases access ?
> >>
> >> Not that I know of...
> >> We have Oracle here and works fine with similar configuration.... (the
> >> role active "migrate" to remote database , what is a remote instance)
> >> At our point of view , the way what Informix works, isn't secure.
> >>
> > Disagree. The way Informix works is secure, but anoying.
> > What you're doing in Oracle isn't secure... A DBA in database A can gain
> > escalated privileges in database B, just by knowing the remote roles, and
> > creating users/roles that match and as such gaining excessive privileges
> on
> > the remote database (unless of course there is more to it, than you
> > mentioned). I don't think this is safer than what Informix does... In
> fact,
> > if you take some time to read about "owner mode" vs "restricted mode"
> > procedures (I have an article about this), you'll see how "paranoid" we
> are
> > regarding remote operations.
> > This is also the root cause for another annoying thing... this time
> > regarding trusted context... try to use it in a system with several
> > databases and you'll see the limitations... once you change your identity
> > you can't do "remote" (even if remote means same instance) operations.
> And
> > I fought for this without success...
> >
> > Now that I defended the honor of Informix (feel free to tell me I'm
> wrong)
> > the main question still holds: How the hell are you able to do what you
> > want... I don't have a good answer...
> > You may consider doing those remote updates through a stored procedure
> > owned by a privilege user (one with the needed privileges in the remote
> > database). But if you have too many queries or ad-hoc requirements this
> may
> > not fit your needs.
> >
> >> Regards
> >> Cesar
> >>
> >> Cumprimentos César. É bom ver posts seus!
>
>
>
> *******************************************************************************
> Forum Note: Use "Reply" to post a response in the discussion forum.
>
>

--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...

--047d7b678864d77fc004cfab9185

Messages In This Thread

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum is maintained by Administrator with WebBBS 5.12.