What Is the Build Security Utility?

The bldibmsec utility will duplicate Lawson table level security in the IBM DB2 database.

Security constraints and privileges placed on database tables are enforced when users attempt to use Lawson applications to access those tables. When non-Lawson applications or tools access Lawson data stored in the IBM DB2 database, they do not encounter any Lawson security restrictions or privileges.

When you make changes to any of your table-level security constraints, run bldibmsec to implement the changes in the IBM DB2 database. When you drop and recreate any tables either by using the utility or by reorganizing the Lawson database, you also drop all security constraints on those tables in the IBM DB2 database. Run bldibmsec again to reinsert your table-level constraints.

For more general information on security planning and implementation, see

  • Administration guides provided by your database vendor

  • Lawson Security and Resource Management Administration Guide

Using the Utility with Lawson Security and Resource Management

In Lawson Security, data level security and user information may be stored in LDAP. The bldibmsec utility uses Lawson Security APIs to retrieve security data from LDAP, based on security rules and the specified database service. Grant and revoke SQL statements are generated from this information.

Database drivers use database services to connect to the RDBMS. If your system uses Lawson Security, you must specify a database service for this utility using the DatabaseService parameter. RMIds and their permissions on tables in a product line are determined, and access to the database service is validated. If the RMId has access to the service, bldibmsec resolves the database login and generates the grant or revoke SQL statement.

Note: The checkLS flag must be set to ON for a user (RMid) in order for grant or revoke SQL statements to be generated for that user.
Note: 

The bldibmsec utility only resolves designated database logins for RMIds. It does not retrieve privileged database logins. This means that the service specified by the DatabaseServices argument must have a USE_USER_ID or USE_USER_AND_PRIVILEGED_ID LoginProcedure assigned to it.

Database Time Stamp Considerations

The bldibmsec utility checks the table version stamp, with the following results:

  • If the table version stamp is missing, the utility returns an error.

  • If the utility finds the table version stamp, it checks the Lawson repository to see which security classes have access to which tables in the given data area.

  • If a security class has full access to a table, the utility grants the matching IBM DB2 role permission to select, insert, update, and delete rows in the table.

  • If a security class has read-only access to a table, the utility grants the matching IBM DB2 role permission only to select rows in the table.

  • If a security class has no access to a table, it revokes all permissions on the table from the matching IBM DB2 role.