Lotus Domino Administrator 7 Help - Mapping the DB2 ID to a Notes ID in the Domino server's Domino Directory

DOMINO AND DB2

Mapping the DB2 ID to a Notes ID in the Domino server's Domino Directory
Note If you are upgrading to Domino 7 from a beta release, and you have used the Set DB2 ID tool to set up DB2 account names, upgrade the Domino Directory with the new template and then run the Set DB2 user name tool for any user that needs access to DB2 databases.

Users must have a DB2 identity to access DB2 databases from the DB2 server. This DB2 user name (an OS user name) must be mapped to a Notes user name. After the DB2 user name is mapped to a Notes user name, the user's Domino privileges are enforced, that is, the ACLs assigned to the NSF apply. If the user's DB2 user name is not mapped to the Domino server's Domino Directory, the user is assigned "Anonymous" access to the DAV. They are then only able to view information that the Domino NSF's ACL allows. Although the user connects directly to DB2, access to Domino data is still managed by Domino (in addition to DB2 GRANT privilege control). DB2 user names are used to access DB2 data.

Although a DAV makes Notes data available in DB2, Domino still enforces security on this data. To access Notes data using SQL (for example, CLP, ODBC, and Notes Query Views), a user must have both a DB2 user identity and a Lotus Notes identity, and the DB2 user name must be mapped to the Lotus Notes user name in the Domino Directory of the Domino server that "owns" the DB2 enabled Notes database.

The DB2 to Notes user mapping must be unique. If you map more that one Notes user to a single DB2 user name, an error is generated when you try to access the DAV using either a query view or SQL.

Use "Set DB2 user name" from the Tools panel in the Domino Administrator to map a DB2 (OS) user name and a Notes user name. For instructions on using Set DB2 user name, see the topic "Mapping DB2 user names to Notes user names.

When a DB2 user attempts to access data in a DAV, the DB2 Access server verifies with the Domino server that the DB2 user is a known Notes user and that the Notes user has access to the NSF on which the DAV is based. For SQL access, the DB2 user is mapped to a Notes user to check Notes ACL privileges. It is the mapping of the DB2 user name and Notes user name that verifies that the DB2 user is a known Notes user.

When a Notes application uses an SQL Query View to access Notes and non-Notes data stored in DB2, to make the connection to DB2 it uses the DB2 user name that is mapped to the Notes ID of the Notes user executing the query. In this case, the Notes user is mapped to a DB2 user to verify that the user has the necessary GRANTS in DB2 to see the data.

If a user is only cross certified to access a DB2-enabled Domino server and that user does not have a Person document in that server's Domino Directory, you can use the Set DB2 User Name tool in the Domino Administrator to set the DB2 Account name for that user.

Allowing anonymous access to Notes data

In some cases, you may not want to have "user level" security checks done when Notes data is accessed in SQL. You may choose to control access to DAVs by using DB2's GRANT mechanism instead of mapping the DB2 user name to the Notes user name. To use DB2's GRANT mechanism, add this setting to the NOTES.INI file on the DB2 Access server:

ALLOW_ANONYMOUS_ACCESS_FROM_DB2=1

When this NOTES.INI setting is enabled, anonymous access to Notes is used whenever a DB2 user name is not mapped to a Notes user name.

Enabling anonymous access removes the name mapping requirement, but Domino still controls access to the DAV. To use anonymous access, the Domino server must allow anonymous access and the default access level of the NSF associated with the DAV must provide sufficient rights to perform the requested SQL operation. For example, read permission for SELECTS, author permission for INSERTs, and so forth.

Note Anonymous access allows you to use SQL to access Notes data without mapping users; however; DB2 Access Views provide Notes access to DB2 data and always require a valid mapping. You cannot use anonymous access in a Query View.

Mapping DB2 user names to Notes user names

1. From the Domino Administrator, click People and Groups.

2. Click People. Select the person for whom you are mapping a DB2 account user name to a Notes user name.

3. Click Tools - People - Set DB2 User Name.

4. Complete these fields, and then click OK.

Field Action

Use name from network account name field, if available Click this check box if there is an existing network account name in the Person document and you want to use that name.
The user name should be all uppercase characters.

Default format Choose a default name format. For example, LastName FirstName.
If "Enter Discrete Name" is chosen here, the Discrete Name field displays.

Separator Choose a separator to separate the name components. For example, an underscore character separates the first name from the last name.
If "Enter Custom pattern" is selected in the "Default format" field, the Separator field does not display.

Format pattern This field appears only if "Enter Custom pattern" is selected in the "Default format" field. Enter the custom pattern you want to use. For example, you could use FirstInitialLastName.
To view a list of the valid characters you can use to create a custom pattern, see the topic "Using formulas to create custom patterns in user names.

Discrete name This field displays if "Enter Discrete Name" is selected in the Default Format field.
Enter the user's discrete name, that is, a name you enter individually -- not a name generated by specifying a pattern.

Make resulting name uppercase Choose this option if you want to display the DB2 user name in uppercase characters.

Using formulas to create custom patterns in user names

When defining a custom pattern for creating user names, you can use the characters and symbols shown in the table below to create the custom patterns. Enter the custom patters in the Format Pattern field of the Set DB2 User Name dialog box.

Example

For example, you can create a formula for the custom pattern of LastName followed by the underscore character followed by the OrganizationName:

L_O

Character or Symbol	Represents
F	First name
L	Last name
M	Middle name
T	Title
G	Generation
O	Organization name
I	ID
C	Location
D	Department
V	Server
S	Short name
_	Underscore
.	Dot
=	Equal
%	Percent

Installing and setting up Domino and DB2 and the DB2 Access server on IBM AIX -- Local configuration

Enabling a Domino server to communicate with a DB2 server

Understanding Domino and DB2 -- Limited Availability

Glossary

Help on Help

All Help Contents

Glossary

Help on Help

All Help Contents

Field	Action
Use name from network account name field, if available	Click this check box if there is an existing network account name in the Person document and you want to use that name. The user name should be all uppercase characters.
Default format	Choose a default name format. For example, LastName FirstName. If "Enter Discrete Name" is chosen here, the Discrete Name field displays.
Separator	Choose a separator to separate the name components. For example, an underscore character separates the first name from the last name. If "Enter Custom pattern" is selected in the "Default format" field, the Separator field does not display.
Format pattern	This field appears only if "Enter Custom pattern" is selected in the "Default format" field. Enter the custom pattern you want to use. For example, you could use FirstInitialLastName. To view a list of the valid characters you can use to create a custom pattern, see the topic "Using formulas to create custom patterns in user names.
Discrete name	This field displays if "Enter Discrete Name" is selected in the Default Format field. Enter the user's discrete name, that is, a name you enter individually -- not a name generated by specifying a pattern.
Make resulting name uppercase	Choose this option if you want to display the DB2 user name in uppercase characters.