Mapped users (UNIX, Linux)

The DBSA can configure the server to allow database access by external users. External users attempting to connect through Kerberos single sign-on (SSO), a Pluggable Authentication Module (PAM), or internal authentication can be mapped to an OS-level profile for processing connection requests.External users attempting to connect through a Pluggable Authentication Module (PAM) or internal authentication can be mapped to an OS-level profile for processing connection requests.

Sometimes running an SQL statement requires the database server to interact with the OS, typically to read or write a file, or to run a program through the SPL SYSTEM statement. When interaction with the OS is required, the database server must be provided OS credentials to manage the file or run the program.

Users can be mapped to one of the following surrogate user identities:

  • A UID and GID pair defined in the database server
  • An existing OS user account on the database server host computer

After a user authenticates, whenever the database server interacts with the OS on behalf of the user, the surrogate user properties specified by the user mapping are invoked. The simplest mapping is identity mapping when the user name maps directly to the OS properties of a user with the same name. If you are the OS Administrator, you can use the /etc/onedb/allowed.surrogates file to specify which surrogate users and groups can be used so that mapped users are not granted owner access to sensitive systems, such as databases, print spoolers, email, or the operating system, itself.

Note: The allowed.surrogates file is not used or read by non-root installations of the database server, because the database server does not perform operations or run commands as the user who started the session.
The CREATE USER and GRANT ACCESS TO PROPERTIES statements can create complex mappings of surrogate properties, including:
  • user ID
  • user name
  • surrogate groups
  • home directory
  • authorization privilege (DBSA, DBSSO, AAO, or BARGROUP)

The CREATE USER and ALTER USER statements associate OS-level privileges by mapping users to OS properties and storing this information in a series of system catalog tables.

Users can be mapped DB-Access. After a DBSA sets the USERMAPPING configuration parameter in the onconfig file, and maps externally authenticated users to surrogate properties in tables of the SYSUSER database, it is possible for the mapped users to connect to the database server without a local OS account.

In order to enable mapped users functionality, the USERMAPPING configuration parameter must be set to either BASIC or ADMIN.

After you set the USERMAPPING configuration parameter to BASIC or ADMIN, you can use the following DDL operations on mapped users:
  • ALTER USER
  • CREATE USER
  • DROP USER
  • GRANT ACCESS TO PROPERTIES
  • SET USER PASSWORD
  • RENAME USER
  • REVOKE ACCESS