Configuring Role Separation (Optional)

Home | Previous Page | Next Page Preparing to Install Dynamic Server > Preliminary Tasks >

Configuring Role Separation (Optional)

Role separation provides checks and balances to improve the security of your event-auditing procedures. Event auditing tracks selected activities that users perform. With role separation enabled, members of different groups manage and examine these records to ensure additional security.

You must set up two roles to enable role separation:

Database System Security Officer (DBSSO): Controls what the auditing subsystem monitors and which actions performed by which users are logged
Auditing Analysis Officer (AAO): Controls whether auditing occurs, maintains the audit log files, and analyzes the audit records of those database activities that the DBSSO mandates to be audited

For audit purposes, you should establish one account for each individual who acts as a DBSSO or AAO. For example, DBSSO1 and DBSSO2 might be the account names for the DBSSO role and bertAAO and harryAAO might be the account names for the AAO role. In addition, all standard users should have separate account names.

By default, all user groups can access the database server. To access the database server, standard users must belong to one of the user groups. To restrict standard-user access to the database, create a special group. If you specify that group during the role-separation portion of database server installation, only members of that special group can access the database server.

To set up roles

Create the special administrative (DBSSO and AAO) groups with unique names; for example, ixdbsso and ixaao.
Create two users, the Database System Security Officer (DBSSO) and the Auditing Analysis Officer (AAO).
Do not use informix or root for the DBSSO and AAO account names.
Optionally, create a standard user group for allowing database access.
Set up standard user accounts and optionally add users to the standard user group created in the previous step.