3.2.3 Disable Grants During Restore (DB2_RESTORE_GRANT_ADMIN_AUTHORITIES)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The DB2_RESTORE_GRANT_ADMIN_AUTHORITIES registry variable determines whether the authorization ID of the user performing a restore is granted administrative authorities (SECADM, DBADM, DATAACCESS, and ACCESSCTRL authorities) on the restored database. It is typically used when restoring a database on a server where the original database creator account does not exist. It is recommended that this variable not be set except when specifically performing a restore where you wish these privileges to be granted so they are not accidentally granted.

Rationale:

Use of this registry variable may grant administrative authorities accidentally if the value is left on during normal operations and a restore is run.

Solution

Run the following command to set the DB2_RESTORE_GRANT_ADMIN_AUTHORITIES registry variable to OFF:

db2set DB2_RESTORE_GRANT_ADMIN_AUTHORITIES=OFF

Default Value:

The default value of DB2_RESTORE_GRANT_ADMIN_AUTHORITIES is OFF.

See Also

https://workbench.cisecurity.org/files/4033