Previous Topic: Securing Common Database ResourcesNext Topic: Securing DBADMIN

Securing Database ResourcesSecuring Common Database ResourcesSecuring Databases

Securing Databases

About Databases

When you secure resource type DB, you control who can issue DDL SEGMENT statements and who can specify a segment in the DBNAME parameter of a CREATE SCHEMA statement. Until you secure resource type DB, any user can issue DDL SEGMENT statements and can specify a segment in the DBNAME parameter of a CREATE SCHEMA statement.

How to Secure Databases

To secure the DB resource internally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,                                        X
      RESTYPE=DB,                                             X
      SECBY=INTERNAL

To secure the DB resource externally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,                                        X
      RESTYPE=DB,                                             X
      SECBY=EXTERNAL,                                         X
      Additional parameters required

Note: For more information about #SECRTT, see #SECRTT.

Database Occurrence Overrides

You can specify a security option for a particular occurrence of a database that differs from the option specified for DB in the SRTT. This allows you, for example, to secure databases internally but to leave security 'OFF' for specific databases.

In this example, internal security is activated in the SRTT for all databases in the system (including the system dictionary and the user catalog), but security is turned off for any databases with names that begin with 'TEST' or 'DEMO'.

#SECRTT    TYPE=ENTRY,                                        X
      RESTYPE=DB,                                             X
      SECBY=INTERNAL

#SECRTT    TYPE=OCCURRENCE,                                   X
      RESTYPE=DB,                                             X
      RESNAME='TEST',                                         X
      SECBY=OFF

#SECRTT    TYPE=OCCURRENCE,                                   X
      RESTYPE=DB,                                             X
      RESNAME='DEMO',                                         X
      SECBY=OFF

How to Grant Database Definition Privilege

To give physical database definition privileges, you issue a GRANT statement on the DB resource type, specifying the privilege or privileges and the name of the database. You can specify any combination of CREATE, ALTER, DROP, DISPLAY, and USE privileges, or you can specify all definition privileges (DEFINE). You must be connected to the system dictionary.

As a holder of SYSADMIN or DBADMIN privilege, you can specify WITH GRANT OPTION when you grant definition privileges to allow the recipient to grant the same privileges to another user.

Note: For more information, see the following sections:

Performance Advantage

You may gain a performance advantage by using an override to turn off security for an occurrence of a secured resource type. Runtime security processing checks for an occurrence override in the SRTT before checking resource authorizations in the security database.