Security Guide
1. Introduction to Vector Security
Security Features
Level of Security
Understanding Vector Security Mechanisms
Directory and File Permissions
User Authentication
Remote Users
Installation Passwords
The ingvalidpw Utility (UNIX)
DBMS Authentication
Authorization Identifiers
Subject Privileges
Object Permissions
Security Alarms
Security Auditing
Database Procedures
Data at Rest Encryption
2. Authorizing User Access
Types of Vector Users
How to Establish User Access
Users and Profiles
Working with User Objects
Create a New User with Accessdb
User Expiration Date
User Password
Authorize Multiple Users with SQLscript
Working with Profile Objects
Example of Using a Profile
Default Profile
Groups and Roles
Groups
Working with Group Objects
Example: Creating, Altering, and Dropping a Group using SQL Statements
Groups and Permissions
Roles
Working with Role Objects
Example: Creating, Altering, and Dropping a Role using SQL Statements
Roles and Permissions
3. Assigning Privileges and Granting Permissions
Subject Privileges
Auditor Privilege
Related Information
Change_Password Privilege
Createdb Privilege
Maintain_Audit Privilege
Related Information
Maintain_Locations Privilege
Maintain_Users Privilege
Related Information
Operator Privilege
Security Privilege
Trace Privilege
Sets of Privileges Associated with a Session
Object Permissions
Working with Grants
Object Ownership and Granting Object Permissions
The GRANT Statement
Database Grants
How Database Permissions for a Session are Determined
Database Grant Examples
Table and View Grants
Table Grant Examples
Procedure Grants
Database Event Grants
Role Grants
How Grants Restrict Data Access
Grant Overhead
Multiple Permission Checks
How Privileges for a Session Are Determined
Access to Tables, Views, or Procedures and the Authorization Hierarchy
Access to Databases and the Authorization Hierarchy
How Database Privileges for a Session Are Determined
Dbmsinfo--View Permissions for Current Session
Example: Return the Value of Query Row Limit for Current Session
4. Implementing Security Auditing
Security Alarms
Working with Security Alarm Objects
How to Implement a Security Alarm
Security Alarm Example
Security Auditing
Related Information
Related Information
Audit Focus
How to Enable Security Auditing
How to Verify Security Auditing Levels
Security Auditing Configuration Parameters
Security Audit Statements
Security Audit Levels for Users and Roles
Changes to Security Audit Status During a Session
Access to the Security Audit Log
Registering the Security Audit Log File
Querying the Registered Virtual Table
Obtain the Current Audit File Name
5. Using Data at Rest Encryption
What Is Data at Rest Encryption?
How Encryption Works
The Power of Encryption
Transparent Column Encryption
Access Enabled for New Tables
Create an Encrypted Table
Enable Access to Encrypted Data
Disable Access to Encrypted Data
Change the Passphrase
Encryption Information Displayed with HELP TABLE
Data at Rest Encryption Restrictions
Implications of Data Encryption for Database Design and Operations
Understanding SALT
Encryption and Copydb/Unloaddb Considerations
Optimizedb Considerations for Data at Rest Encryption
Encryption and Partitioned Tables
6. Using Secure Communications Encryption with AES
AES Security Mechanism
Configure AES Encryption
INGRES Mechanism Configuration for Encryption
AES Security Mechanism Configuration
JDBC Encryption
7. Configuring Vector to Use Kerberos
In This Chapter
Kerberos
Kerberos Configuration in the Enterprise
Kerberos Configuration Files--Configure Kerberos for Vector
The Vector Service Principal--Authorize Client Connections
hostname
realm
Prerequisite Kerberos Software on Windows
How to Configure Vector to Use Kerberos
• Run the iisukerberos utility (see iisukerberos Command--Perform Basic Kerberos Configuration).
iisukerberos Command--Perform Basic Kerberos Configuration
Vector Configuration Options for Kerberos
Basic Configuration for Kerberos
mechanisms Parameter--Specify Dynamic Mechanism
domain Parameter--Specify Domain Name
remote_mechanism Parameter--Configure Client in a Homogeneous Kerberos Environment
vnode Connection Attributes--Configure Client in a Heterogeneous Kerberos Environment
Encryption Parameters--Enable Kerberos Encryption
How Name Server Delegation Works
Set Delegation
Service Principal Host Name Resolution
How to Configure Kerberos to Authenticate against Active Directory on Windows
8. Using VectorH with Hadoop Security Systems
Requirements
Configuring VectorH for Use with Apache Knox
Understanding the Connections
Configure LDAP Authentication Using PAM
Define a JDBC Connection
CountryList.java
Configuring VectorH for Use with Apache Ranger
Access to HDFS
Access to YARN
Kerberos and YARN
Glossary
Security Guide
Glossary