Role separation is a database server option that allows users to perform different administrative tasks. Role separation is based on the principle of separation of duties, which reduces security risks with a checks-and-balances mechanism in the system. For example, the person who determines what to audit (DBSSO) should be different from the person who monitors the audit trail (AAO), and both should be different from the person who is responsible for the operations of the database server (the DBSA).
This section provides general guidelines on how to assign people to accounts and give them access to perform roles. These guidelines should be amended to fit the resources and security policies of your site.
For example, if you have multiple users who perform the DBSA role, have each person work from a separate account. Establish a one-to-one mapping between accounts and users to make it easier to trace audit events to a single user.
The DBSA and DBSSO accounts can compromise the security of the database server. Limit the number of accounts that can disrupt the database server to lower the chance that an unscrupulous user can abuse a privileged account.
You might not have the resources or see the need to have different users perform the DBSA and DBSSO roles, nor does Dynamic Server strictly require this role separation. When you keep the DBSA and DBSSO roles separate, however, you constrain them to perform only those tasks that their duties specify and limit the risk of compromising security.
The AAO determines whether to audit all DBSA or DBSSO actions in the system. It is essential that someone with a role different from that of the DBSA or DBSSO be in charge of auditing configuration, so that all users, including the DBSA and DBSSO, are held accountable for their actions in the system. This constrains users to perform only those tasks that their duties specify and limits the risk of compromising security.
The DBSA, or the person who installs the database server, enforces role separation and decides which users will be the DBSSO and AAO. To find the group for the DBSA, DBSSO, or AAO, look at the appropriate subdirectory of $INFORMIXDIR on UNIX or %INFORMIXDIR% on Windows.
On Windows, role separation is configured only during installation. On UNIX, you normally configure role separation during installation, but you can also configure it after the installation is complete or after the database server is configured. The OSA who installs the software enforces role separation, and decides which users (Windows) or groups (UNIX) will be the DBSSO and AAO. On UNIX, the group that owns $INFORMIXDIR/aaodir is the AAO group; the group that owns $INFORMIXDIR/dbssodir is the DBSSO group. By default, group informix is the DBSSO, AAO, and DBSA group.
If you use the InstallShield MultiPlatform (ISMP) installer in GUI or terminal mode to install the database software, you will be asked if you want to configure role separation. If instead you use the scripted bundle installer, then the environment variable INF_ROLE_SEP controls whether you will be asked to set up separate roles. If the INF_ROLE_SEP environment variable exists (with or without a value) role separation is enabled and you will be asked to specify the DBSSO and AAO groups. (You will not be asked about the DBSA group.) If the INF_ROLE_SEP environment variable is not set, then the default group informix is used for all these roles.
You do not need to set INF_ROLE_SEP to a value to enable role separation. For example, in a C shell, issuing setenv INF_ROLE_SEP is sufficient.
After the installation is complete, INF_ROLE_SEP has no effect. You can establish role separation manually by changing the group that owns the aaodir, dbssodir, or etc directories. You can disable role separation by resetting the group that owns these directories to informix. You can have role separation enabled for the AAO without having role separation enabled for the DBSSO.
Role separation control is through the following group memberships:
The ls -lg UNIX command produces the output that Figure 5 shows.
total 14 drwxrwx--- 2 informix ix_aao 512 Nov 21 09:56 aaodir/ drwxr-xr-x 2 informix informix 1536 Nov 30 18:35 bin/ drwxrwx--- 2 informix ix_dbsso 512 Nov 30 10:54 dbssodir/ drwxr-xr-x 10 informix informix 512 Nov 21 09:55 demo/ drwxrwxr-x 2 informix informix 1024 Nov 30 11:37 etc/ . . .
In Figure 5, the AAO belongs to the group ix_aao, the DBSSO belongs to the group ix_dbsso, and the DBSA belongs to the group informix.
Users must belong to the correct group to access the database server. To find the group for database users, you must look at the contents of the $INFORMIXDIR/dbssodir/seccfg file. For example, the contents of a typical seccfg file might be IXUSERS=*. This group setting means that all users are allowed to connect to the database server. If the file contains a specific name such as IXUSERS=engineer, then only members of the group engineer can gain access to the database server.
For Windows, role separation control is through the Role Separation dialog box, which appears during installation, and through registry settings. If the Enable Role Separation check box is checked in the Role Separation dialog box, the DBSA can specify different roles.
For more information on environment variables, see the IBM Informix: Guide to SQL Reference. For more information on configuring role separation, see your IBM Informix: Administrator's Guide.
Home | [ Top of Page | Previous Page | Next Page | Contents | Index ]