IBM Db2
Description
The IBM Db2 connector uses a JDBC connection to the Db2 database to enumerate database users, roles, and privilege grants. It queries the Db2 system catalogue views to discover granted authorities, role memberships, and schema-level privileges, enabling complete visibility into database-tier access.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| JDBC (IBM Db2 JDBC Driver) | 50000 TCP | Unencrypted by default; SSL available on port 50001 |
What OrbisID Discovers
| Data | Source |
|---|---|
| Database users | SYSCAT.DBAUTH system view |
| OS/directory groups with a database authority or role grant | SYSCAT.DBAUTH/SYSCAT.ROLEAUTH (AUTHIDTYPE/GRANTEETYPE = G — discovered as Entitlements, not users, see below) |
| Database roles | SYSCAT.ROLES |
| Role memberships | SYSCAT.ROLEAUTH |
| Database authorities | DBADMAUTH, SECADMAUTH columns in SYSCAT.DBAUTH |
| Schema privileges | SYSCAT.SCHEMAAUTH |
OS/Directory Group Grants ("Shadow Groups")
Db2 authorities and roles can be granted directly to an OS or directory group (SYSCAT.DBAUTH/SYSCAT.ROLEAUTH type G) rather than to an individual user — Db2 has no visibility into who is actually a member of that group. These are discovered as their own Entitlement (type DB2_OS_GROUP) instead of being dropped or misrepresented as a user.
Cross-system resolution: if the real group is also discoverable elsewhere in OrbisID, the group grant is automatically linked to it after each scan, so the real account holders show up with this Db2 grant as one of their entitlements:
- Domain-qualified groups (e.g.
DOMAIN\group, on Windows with a domain-based OS security plugin) resolve against an Active Directory Target System matching that domain. - Bare OS group names (e.g.
db2grp1, the common case on Linux or a local Windows group) resolve against a Windows or Linux Target System that shares the same hostname or IP address as this Db2 system — add the machine Db2 is running on as its own Target System to get this link.
If no matching system exists (or it hasn't been scanned yet), the reference simply stays unresolved rather than guessing.
Connection Requirements
Required Permissions
The scanning credential must be a Db2 user with SELECT access to the system catalogue.
Minimum permissions:
SELECTonSYSCAT.DBAUTHSELECTonSYSCAT.ROLESandSYSCAT.ROLEAUTHSELECTonSYSCAT.SCHEMAAUTH
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.username | Db2 username |
credential.password | Db2 password |
system.hostname | Db2 server hostname or IP |
system.port | Db2 port (default 50000) |
system.databaseName | Target database name |
Network Requirements
The OrbisID server must have TCP access to the Db2 server on port 50000 (or 50001 for SSL).
Configuration Steps
- Create a Db2 user (OS-level or LDAP) with catalogue read access:
GRANT SELECT ON SYSCAT.DBAUTH TO USER orbisid_scanner;
GRANT SELECT ON SYSCAT.ROLES TO USER orbisid_scanner;
GRANT SELECT ON SYSCAT.ROLEAUTH TO USER orbisid_scanner; - Create a Credential in OrbisID:
- Username:
orbisid_scanner - Password: Database password
- Username:
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., IBM Db2 – PRODDB) |
| OS Type | IbmDb2 |
| System Type | Infrastructure |
| Hostname | Db2 server hostname |
| Port | 50000 |
| Database Name | Target database name |
| Credential | The scanning credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid credentials | Verify OS-level or LDAP credentials for the Db2 user |
SQL1092N | Insufficient catalogue privileges | Grant SELECT on required SYSCAT views |
| Cannot connect | Port blocked | Verify TCP 50000 is open from OrbisID to the Db2 server |
Driver not found | Missing Db2 JDBC driver | Ensure db2jcc4.jar is in the OrbisID classpath |