securitylablelcomponentelements and securitylabels mapping in db2

问题

DB2 allows user defined LBAC security policies. For creating the required labels and authorizations, I followed the steps provided here. So far so good. However, retrieving these policies is a big headache. Suppose, someone defined these policies and did not keep a backup of their activities. By looking at the defined components and labels, it seems to be quite hard to figure out what was done.

The main problem I am facing is this: table syscat.securitylabelcomponentelements keeps a record of the elements of the security components which one defined. syscat.securitylabels records the labels created from these component elements. I am unable to find the mapping though. It is possible that one named a component element as X, and named the corresponding label as Y. Where is the mapping stored? That is, hoe do I know that label Y is coming from element X?

I could not find this. Can someone please help me out here?

Regards,

Salil

回答1:

The db2look utility will extract the DDL for all of the LBAC components, which should make it pretty easy to determine the structure you are looking for.

$ db2look -d sample -e

-- This CLP file was created using DB2LOOK Version "9.7" 
-- Timestamp: Sat 30 Mar 2013 11:21:34 AM MST
-- Database Name: SAMPLE         
-- Database Manager Version: DB2/LINUXX8664 Version 9.7.5  
-- Database Codepage: 1208
-- Database Collating Sequence is: IDENTITY


CONNECT TO SAMPLE;

-----------------------------------------------------------
-- DDL Statements for Security Label Component "ORG_DIVISIONS"
-----------------------------------------------------------

CREATE SECURITY LABEL COMPONENT "ORG_DIVISIONS"
   TREE ('ORGANIZATION_ADMIN' ROOT,
     'SALES' UNDER 'ORGANIZATION_ADMIN',
     'RESEARCH' UNDER 'ORGANIZATION_ADMIN',
     'MANUFACTURING' UNDER 'ORGANIZATION_ADMIN',
     'MFM1' UNDER 'MANUFACTURING',
     'MF_ENGG1' UNDER 'MFM1',
     'RSM1' UNDER 'RESEARCH',
     'RS_ENGG1' UNDER 'RSM1');

----------------------------------------------------------
-- DDL Statements for Security Policy "ORGANIZATION_POLICY"
----------------------------------------------------------

CREATE SECURITY POLICY "ORGANIZATION_POLICY" 
   COMPONENTS "ORG_DIVISIONS"
   WITH DB2LBACRULES RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL;


...

来源：https://stackoverflow.com/questions/15714329/securitylablelcomponentelements-and-securitylabels-mapping-in-db2