User Mapping
A user mapping is an association between a database user or a database role and a local user on the Key Manager. CDP for DB2 uses this user mapping to authenticate with the Key Manager before submitting cryptographic requests.
CDP for DB2 authenticates to the Key Manager as the NAE user mapped to the database user who is performing the operation. (If the database user is valid, but is not specifically listed, the default mapping value is used, when enabled.) If the user mapping contains a valid NAE user and password, and that NAE user has permission to access the key required for the operation, then the request is honored. However, if either of the conditions above is not met, then the operation is not performed.
A valid user mapping is needed to create triggers and views regardless of database environment.
Some features may need to be enabled for all database users not otherwise listed on the User Mappings section. To do this, the Default Mapping value should be associated with a specific NAE user. For example, an NAE user with access to global keys can be created, or an NAE user with access to no specific permissions can be created to enable the replacement value feature.
You can create and manage user mapping using any of these options:
CipherTrust Manager UI. Refer to Managing User Mappings for details.
pdbctl utility. Refer to the pdbctl utility documentation for details.
Default Mapping
The default mapping is a catch-all CipherTrust Manager user connected to the CipherTrust Manager when no user mapping exists for a database user. When there is no default mapping and an unmapped database user attempts to access sensitive data, CDP returns an error message and does not send the request to the CipherTrust Manager. It may be useful to create a default mapping to prevent CDP from automatically returning this error.
When this feature is enabled, instead of returning an error message, CDP connects to the CipherTrust Manager as the default CipherTrust Manager user. How the CipherTrust Manager then responds to requests depends on the CipherTrust Manager configuration. The CipherTrust Manager might return following:
insufficient permissions
NULL
Pre–configured replacement value.
Return encrypted value
(This behavior is configured on the Database Column Properties screen for the encrypted column.)
When the default mapping is assigned, the system creates an entry in the ING_AUTHORIZED_USER
table with the user name, ING_DEFAULT_USER
. For this reason, avoid using ING_DEFAULT_USER
to represent a specific database user.
Limitations
When using CDP 8.12.1 or higher versions with the CipherTrust Manager 2.15 or lower, if a user mapping is added or updated, you must execute the pdbctl utility command migrateusermap
. This makes the added/updated user mapping compatible with the CipherTrust Manager. Refer to Migrate user mappings for details.
Group or Role Mapping
CDP for DB2 enables an authorized database user’s access to encryption keys. A database user or a database role can be directly mapped to a CipherTrust Manager user.
Note
If a database user, who is a member of a database role mapped to an NAE user, is also mapped individually to an NAE user, then the individual user mapping takes precedence.
If a database user belongs to multiple database roles, which are mapped to NAE users, then the user inherits the access privileges of the NAE user mapped to the role that appears first when sorted alphabetically.
The mapping priority takes precedence in the following order: individual > database role > Default Mapping.