Securing Database Resources › SQL Security Enforcement › CA IDMS Privileges

CA IDMS Privileges

Privileges and Resources

The following tables summarizes the resources and CA IDMS privileges that apply to those resources in SQL processing if the resources are secured internally:

(1) Privilege to display the resource and privileges on it.

(2) Privilege to issue the EXPLAIN statement on the module and to display the resource and privileges on it.

All privileges are grantable when a holder of SYSADMIN or DBADMIN privilege grants them using the WITH GRANT OPTION parameter. This allows the recipient of the privilege to grant it to another user.

CA IDMS internal security specifically checks for grantability of privileges when it processes a security check on view and access module resource types.

Note: For more information about runtime security checks on views and access modules, see the following sections:

• Securing Views
• Runtime Security for Access Modules

Access Privileges

SELECT, INSERT, UPDATE, and DELETE privileges control a user's ability to access data. These privileges are defined according to the ANSI SQL standard.

Definition Privileges

CREATE, ALTER, DROP, DISPLAY, and REFERENCES control the user's ability to manipulate the definition of an object or, in the case of REFERENCES, control a user's ability to reference a table in a referential constraint definition.

Access Module Execution Privilege

The EXECUTE privilege allows the user to execute an access module. The privilege to execute an access module can also be held through the Category mechanism.

Note: For more information, see Securing Resources That can Be categorized.

If an access module has been assigned to a Category, a user must hold privilege on the Category to execute the access module. In this situation, an individual grant of execution privilege on the access module is ignored by the security system as long as the Category exists and the access module remains in it.