Core trading system database application binding account permission shrinkage solution_PHP tutorial

Core trading system database application binding account permission shrinking scheme

1. Existing problems in the core trading system database
Due to historical issues, the core system has excessive allocation of application account permissions. At present, Application personnel have all the permissions of the core database. There are complex database management audits and security risks, which need to be adjusted and optimized.
2. Goals after rectification and optimization
Ensure the controllability, security, and stability of the core system and that the DBA has refined management capabilities for the core system
3. Implementation steps
1. Log in to the core database server
2. Use the root account to add the following account:
mkuser db2bpkg
# The backup machine needs to add this account and the account password must follow the corresponding specifications
3. Log in to the core system database server and use the db2inst1 account for authorization:
db2 connect to cbusdb
db2 grant connect on database to user db2bpkg
#Grant account permission to connect
db2 grant bindadd on database to user db2bpkg
#Grant account permission to create packages
db2 grant dataaccess on database to user db2bpkg
#Grant account data access permissions, because the program package is SQL and requires permissions to operate data
#Minimize authorization to ensure that new accounts only have DML permissions and no longer have DDL permissions
db2 grant createin, alterin on schema db2inst1 to user db2bpkg
#Grant the account the permission to modify and create packages in db2inst1 mode
4. Business verification
1. Business verification during release verification, log in to the cics application server ;
2. Use the cbus account and switch to the bnd program path
cd /cbus/cboddb/bnd
3. Use the new account db2bpkg to perform the binding task of the application
db2 connect to cbusdb user db2bpkg using db2bpkg
db2 bind a.bnd action replace qualifier db2inst1
4. Emergency measures
1. The application package CICS bound with the new account cannot be accessed normally. Use the db2inst1 account to rebind the application. Can
5. Rollback steps
1. Access the core database server and use the db2inst1 account to perform the following operations
db2 connect to cbusdb
db2 revoke connect on database from user db2bpkg
db2 revoke bindadd on database from user db2
db2 revoke dataaccess on database to user db2bpkg
db2 revoke createin, alterin on schema db2inst1 to user db2bpkg
2. Use root account to delete new account db2bpkg
userdel -r db2bpkg
#Repeat the above operations on the backup machine

http://www.bkjia.com/PHPjc/1090008.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1090008.htmlTechArticleCore trading system database application binding account permission shrinking solution 1. Core trading system database existing problems Core system due to history Legacy issues lead to application account permission allocation...