Data Control Language (DCL) Operations

CA Datacom SQL Security › Implementing the SQL Security Model › SQL Statements and SQL Security Access Rights › Data Control Language (DCL) Operations

Data Control Language (DCL) Operations

Statement	Authorization Required	Authorization Implications
GRANT	If granting a table-level access right, a user must have that same access right with the grant option. If granting a column-level access right, a user must have that access right with grant option, or the corresponding table-level access right with grant option. A Global Owner may execute any GRANT statement.	The requested authorizations are established.
REVOKE	To REVOKE access rights from another user, the user must have granted that other user the access rights. A Global Owner may REVOKE any user's access rights to any resource.	If the user, whose access right is revoked, has granted the access right to someone else, that access right is also revoked, which may cause further revokes, and so on. CA Datacom/DB revokes the entire tree of access rights depending on the original revoked access right. When an access right is revoked, CA Datacom/DB examines all views created by that user to determine whether not having the access right would prevent that view from being created now. If so, CA Datacom/DB drops the view. Since, when a view is created, the creator of the view is automatically granted access rights based on the access rights they have on the underlying tables and views, whenever an access right on a table or view is revoked, CA Datacom/DB examines all views created by the user on that table or view to determine if any of the access rights that were automatically granted would not now be granted because of the revoke. If so, CA Datacom/DB revokes them.

Statement

Authorization
Required

Authorization
Implications

GRANT

If granting a table-level access right, a user
must have that same access right with the grant option. If granting a column-level access right, a user must have that access right with grant option, or the corresponding table-level access right with grant option.

A Global Owner may execute any GRANT statement.

The requested authorizations are established.

REVOKE

To REVOKE access rights from another user, the user must have granted that other user the access rights.

A Global Owner may REVOKE any user's access rights to any resource.

If the user, whose access right is revoked, has granted the access right to someone else, that access right is also revoked, which may cause further revokes, and so on. CA Datacom/DB revokes the entire tree of access rights depending on the original revoked access right.

When an access right is revoked, CA Datacom/DB examines all views created by that user to determine whether not having the access right would prevent that view from being created now. If so, CA Datacom/DB drops the view.

Since, when a view is created, the creator of the view is automatically granted access rights based on the access rights they have on the underlying tables and views, whenever an access right on a table or view is revoked, CA Datacom/DB examines all views created by the user on that table or view to determine if any of the access rights that were automatically granted would not now be granted because of the revoke. If so, CA Datacom/DB revokes them.