DB2 uses explicit SQL GRANT and REVOKE statements to give privileges to or remove privileges from users. If you are granted a privilege, you can perform a particular function, usually on a specific object. For example, if USER01 wants to retrieve data from the PERSONEL.EMPLPAY table, the GRANT statement might look like this:
GRANT SELECT ON TABLE PERSONEL.EMPLPAY TO USER01
Only privileges that are explicitly granted can be revoked. Any ID that grants a privilege to a specific ID can revoke that privilege. For DB2 release 9. and below, the SYSADM or SYSCTRL authority can revoke any privilege. For DB2 Version 10 and above, the SECADM authority can revoke any privilege; if SEPARATE_SECURITY is set to NO, the SYSADM and SYSCTRL authorities can also revoke any privilege.
You can grant and revoke privileges to and from a single ID, or you can name several IDs on one statement. You can also grant privileges to an ID called PUBLIC. This ID permits you to make most privileges available to all IDs. All DB2 users can use privileges granted to PUBLIC. When a privilege is revoked from PUBLIC, IDs previously granted that privilege will continue to have it.
To let users grant privileges to others, you can grant the privileges with the WITH GRANT OPTION clause. This option enables users to specifically grant any privilege belonging to that authority to another user. For example, if you are granted the DBADM authority with the WITH GRANT OPTION, you can grant any privilege belonging to the DBADM authority (ALTER, DELETE, INDEX, INSERT, SELECT, or UPDATE) to any user.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|