Skip to main content

IBM Db2

Description

The IBM Db2 connector uses a JDBC connection to the Db2 database to enumerate database users, roles, and privilege grants. It queries the Db2 system catalogue views to discover granted authorities, role memberships, and schema-level privileges, enabling complete visibility into database-tier access.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority200

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

Supported Protocol

ProtocolPortNotes
JDBC (IBM Db2 JDBC Driver)50000 TCPUnencrypted by default; SSL available on port 50001

What OrbisID Discovers

DataSource
Database usersSYSCAT.DBAUTH system view
OS/directory groups with a database authority or role grantSYSCAT.DBAUTH/SYSCAT.ROLEAUTH (AUTHIDTYPE/GRANTEETYPE = G — discovered as Entitlements, not users, see below)
Database rolesSYSCAT.ROLES
Role membershipsSYSCAT.ROLEAUTH
Database authoritiesDBADMAUTH, SECADMAUTH columns in SYSCAT.DBAUTH
Schema privilegesSYSCAT.SCHEMAAUTH

OS/Directory Group Grants ("Shadow Groups")

Db2 authorities and roles can be granted directly to an OS or directory group (SYSCAT.DBAUTH/SYSCAT.ROLEAUTH type G) rather than to an individual user — Db2 has no visibility into who is actually a member of that group. These are discovered as their own Entitlement (type DB2_OS_GROUP) instead of being dropped or misrepresented as a user.

Cross-system resolution: if the real group is also discoverable elsewhere in OrbisID, the group grant is automatically linked to it after each scan, so the real account holders show up with this Db2 grant as one of their entitlements:

  • Domain-qualified groups (e.g. DOMAIN\group, on Windows with a domain-based OS security plugin) resolve against an Active Directory Target System matching that domain.
  • Bare OS group names (e.g. db2grp1, the common case on Linux or a local Windows group) resolve against a Windows or Linux Target System that shares the same hostname or IP address as this Db2 system — add the machine Db2 is running on as its own Target System to get this link.

If no matching system exists (or it hasn't been scanned yet), the reference simply stays unresolved rather than guessing.

Connection Requirements

Required Permissions

The scanning credential must be a Db2 user with SELECT access to the system catalogue.

Minimum permissions:

  • SELECT on SYSCAT.DBAUTH
  • SELECT on SYSCAT.ROLES and SYSCAT.ROLEAUTH
  • SELECT on SYSCAT.SCHEMAAUTH

Credential Mapping

OrbisID FieldValue
credential.usernameDb2 username
credential.passwordDb2 password
system.hostnameDb2 server hostname or IP
system.portDb2 port (default 50000)
system.databaseNameTarget database name

Network Requirements

The OrbisID server must have TCP access to the Db2 server on port 50000 (or 50001 for SSL).

Configuration Steps

  1. Create a Db2 user (OS-level or LDAP) with catalogue read access:
    GRANT SELECT ON SYSCAT.DBAUTH TO USER orbisid_scanner;
    GRANT SELECT ON SYSCAT.ROLES TO USER orbisid_scanner;
    GRANT SELECT ON SYSCAT.ROLEAUTH TO USER orbisid_scanner;
  2. Create a Credential in OrbisID:
    • Username: orbisid_scanner
    • Password: Database password
  3. Navigate to Systems → Add System
  4. Fill in the fields:
FieldValue
NameDescriptive name (e.g., IBM Db2 – PRODDB)
OS TypeIbmDb2
System TypeInfrastructure
HostnameDb2 server hostname
Port50000
Database NameTarget database name
CredentialThe scanning credential
  1. Click Test Connection
  2. Click Save

Troubleshooting

SymptomLikely CauseResolution
Authentication failedInvalid credentialsVerify OS-level or LDAP credentials for the Db2 user
SQL1092NInsufficient catalogue privilegesGrant SELECT on required SYSCAT views
Cannot connectPort blockedVerify TCP 50000 is open from OrbisID to the Db2 server
Driver not foundMissing Db2 JDBC driverEnsure db2jcc4.jar is in the OrbisID classpath