Use the CREATE USER statement to define internally authenticated users, or to map externally authenticated users to surrogate user properties required for access to Informix® resources.

1 Configure the database

First modify the onconfig parameter USERMAPPING to BASIC value.

Copy 
USERMAPPING    BASIC
Copy 
USERMAPPING configuration parameter (UNIX, Linux).
    
Use the USERMAPPING configuration parameter to set whether or not the database server accepts connections from mapped users.
    
default value
  OFF
values
  OFF = Only users that are registered in the IBM® Informix® host computer OS with a login service can connect to the database server. Externally authenticated users without OS accounts on the Informix host computer cannot connect to database server resources.
  BASIC = Users can connect to Informix without an OS account. A user without an OS account cannot perform privileged user operations on the database server, even if the user maps to a server administrator user or group ID.
  ADMIN = Users can connect to Informix without an OS account. If a user has authenticated with the identity of a privileged user and is mapped to the proper server administrator group ID, the user can perform DBSA, DBSSO, or AAO work on the database server.

takes effect
  After you edit your onconfig file and restart the database server.
  When you reset the value dynamically in your onconfig file by running the onmode -wf command.
  When you reset the value in memory by running the onmode -wm command.
Usage
  Externally authenticated users without operating system (OS) accounts on the Informix host computer can access database server resources when USERMAPPING is turned on by setting the parameter with the BASIC or ADMIN value. The setting of BASIC or ADMIN also determines whether or not mapped users can be granted administrative privileges.

Important: Changing the USERMAPPING configuration parameter from OFF to ADMIN or BASIC is not the only step in setting up Informix for mapped users. To map users with the appropriate user properties, you must also use DDL statements such as CREATE USER and ALTER USER to register values in appropriate system tables of the SYSUSER database. Depending on the DDL statement used and the defined table mapping, the following tables will be updated or populated:
  SYSINTAUTHUSERS
  SYSUSERMAP
  SYSSURORGATES
  SYSSURROGATEGROUPS

Note

If exists HDR Replication it is necessary to configure USERMAPPING in the primary and secondary servers.

To get inmediate effect on this change you can execute:

Copy 
onmode -wf USERMAPPING=BASIC

2 Create the surrogate user

Create a user in the OS, for example ifxsurr with HOME path in /home/ifxsurr. Execute the next commands as user root.

Copy 
useradd -d /home/ifxsurr -s /bin/false ifxsurr

Note

If exists HDR Replication it is necessary to create this user in the primary and secondary servers.

Edit the file /etc/informix/allowed.surrogates to add the user.

Copy 
mkdir /etc/informix
vi /etc/informix/allowed.surrogates

Add the user in this file.

Copy 
USERS:ifxsurr

Assign the owner and permissions to the file.

Copy 
chown root:root /etc/informix/allowed.surrogates
chmod 644 /etc/informix/allowed.surrogates

Reload the cache entry for this file.

Copy 
onmode -cache surrogates

3 Create the mapped users

You can create the user with the following instruction connected to any database. At the next samples we use the name 'user_sample' as user name. Execute the next command as user informix.

Copy 
echo "CREATE USER 'user_sample' WITH PASSWORD 'thepasswd' PROPERTIES USER 'ifxsurr'" | dbaccess any_database

The user will be created for the whole of instance.

Now you can find the user in the database sysuser as mapped user.

Copy 
echo "SELECT * FROM sysusermap" | dbaccess sysuser

4 Grant permissions to user on the databases

For each database is needed to grant the users which will have access to the database with permissions: connect, resources, dba.

Assign the connect permission to this user for the database.

Copy 
echo "GRANT CONNECT TO user_sample" | dbaccess the_database

At the referred database you can check the user with the permission type.

Copy 
echo "SELECT * FROM sysusers WHERE username = 'user_sample'" |  dbaccess the_database

5 Modify the password of mapped user

To modify the password you can use the following sentences:

Copy 
ALTER USER 'user_sample' DROP PASSWORD;
ALTER USER 'user_sample' ADD PASSWORD 'thepasswd';