Managing users
Access to IBM® Db2® as a Service service instances for users in your account is controlled by Identity and access management (IAM) on IBM Cloud and database access is provided by standard access controls provided by the database.
For more information about IAM, see What is IBM Cloud Identity and Access Management?.
User types
Database users
These are the users that are used to access the database. Traditionally, these are the OS users in a typical Db2 deployment, although, in the cloud, a user registry is used. Db2 understands these users as native to the database. The database privileges for the users can be granted or revoked as can roles that are created by the user.
Database users are not granted any service-level functions. For example, a database administrator who has access to the data does not have the ability to change the configuration of the system outside of the database privileges that they were given.
IAM users
IAM is only integrated with high-level service access, which governs privileges and operations available in the IBM Db2 SaaS console and database. Access to the database by these IAM users is provided by allowing an IAM user or service ID access to a specific Db2 user, as mentioned earlier.
Roles and access
Users can use JDBC or any Db2 client to connect to their database. There are two ways that users can access the database:
- Use their database user name and password associated with their account
- Use the IAM token (or APIKey, which gets the token) that is mapped to the associated database user
IAM authentication is performed as the authentication mechanism. Permissions are not controlled by IAM. Permissions are controlled by database level privileges of the associated user.
Console access
Console access is controlled by IAM. An IAM user can be assigned access by the IAM interface to all Db2 service instances, all Db2 service instances in a resource group, or a specific service instance. Within these parameters, IAM users can be assigned platform and service-level access.
| Role | User mgmt | SQL editor/tables | Monitoring info | Settings (includes scale, backup, DR, etc.) | Info panels |
|---|---|---|---|---|---|
| IAM - Platform - Viewer | No | No (unless mapped to Db2 user) | Yes | No | Yes |
| IAM - Platform - Operator | No | No (unless mapped to Db2 user) | Yes | Yes | Yes |
| IAM - Platform - Editor | No | No (unless mapped to Db2 user) | Yes | Yes | Yes |
| IAM - Platform - Administrator | Yes | No (unless mapped to Db2 user) | Yes | Yes | Yes |
| Non-IAM, but authenticate with JDBC | Only "Change password" | Yes | No | No | Yes |
Service action mapping
Service action access is also controlled by IAM Roles. An IAM user can be assigned access by the IAM interface to all Db2 service instances, all Db2 service instances in a resource group, or a specific service instance. Within these parameters, IAM users can be assigned or revoked access from specific service actions.
| Role | Manage-users | Scale | Clone | Restore | DR | Settings | Backup | Monitor | View settings |
|---|---|---|---|---|---|---|---|---|---|
| IAM - Platform - Viewer | No | No | No | No | No | No | No | Yes | Yes |
| IAM - Platform - Operator | No | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| IAM - Platform - Editor | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| IAM - Platform - Administrator | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
For more information about user management, see Database user management