Web console user access and authentication

The web console provides two tiers of user access control and one authentication method. Depending on your environment, you might need to do some tasks before you install the product.

To each user of the web console, you will first grant access to the web console, and then grant access to the specific tasks the user will perform using the web console.

User access to the web console

The first tier of user access is to the web console. The web console products provide the repository database authentication method for access to the web console. All users that are allowed to connect to the repository database can be granted access privileges to the web console.

To set up web console access, you must ensure that the repository database is set-up with an authentication method such as local operating system, Lightweight Directory Access Protocol (LDAP), or NIS+.

For example, if you want to use LDAP to authenticate users through the repository database, you must ensure that the DB2 instance on which you install the product is configured to use LDAP authentication (see Using LDAP with repository database authentication).

Use the Console Security page of the web console to grant web console privileges such as Viewer or Administrator to each user that is defined for the repository database. Both Viewer and Administrator privileges allow a user to log on to the web console, but only users with Administrator privileges can change global settings.

Tip: With the Data Studio web console, you can use the default administrative user to initially log in to the web console and test the product. For a production environment with more than one user accessing the web console you should use repository database authentication to control web console access.

User access to the web console functionality

The second tier of user access is to the different types of data and task permitted for a specific database. You grant these privileges to users of an individual database on the Grant and Revoke tab of the Manage Privileges page. These privileges, which might include the Can Monitor privilege, the Can Manage Alerts privilege, and the Can Manage Jobs privilege, apply only after the user logs in to the web console.

An administrator can use the Enable and Disable tab of the Manage Privileges page to configure the requirement for the various privileges for each database. If a privilege requirement is disabled for a database, all web console users can do actions that are normally restricted by that privilege. For example, if the Can Manage Jobs privilege requirement is disabled, all web console users can create and manage jobs.

Remember: Even though a user has the required web console privileges to access a web console page, if that page has a database selector the user will be prompted to log in to the database to view database data or perform actions on that database. The user ID that the user logs in as must have the required authority on the database to perform any actions available on the web console page.

For example, to force an application from the Current Application Connections page, the user ID used to connect to the database must have at least SYSADM, SYSCTRL, or SYSMAINT authority on that database.


Feedback