Previous Topic: Database Security and Database NamesNext Topic: Securing Common Database Resources

Securing Database ResourcesAbout Database ResourcesInternal Security for Database Resources

Internal Security for Database Resources

Privileges on Common Database Resources

The following table presents the privileges in CA IDMS internal security that apply to use of database resources common to both SQL-defined and non-SQL-defined databases:

Privilege

DB

AREA

DMCL

DBTABLE

CREATE

X

 

X

X

ALTER

X

 

X

X

DROP

X

 

X

X

DISPLAY

X

 

X

X

USE

(1)

(1)

X

X

DBAREAD

 

X

 

 

DBAWRITE

 

X

 

 

DBADMIN

X

 

 

 

(1) Privilege applicable only to non-SQL-defined databases.

DBADMIN can be granted to any other user by a holder of SYSADMIN or DBADMIN. All other privileges are grantable if a holder of SYSADMIN or DBADMIN grants them using the WITH GRANT OPTION parameter. A grantable privilege means that the recipient of the privilege can grant it to another user.

Definition Privileges

CREATE, ALTER, DROP, and DISPLAY control the user's ability to manipulate the definition of an object. To issue any definition statement other than DISPLAY on the common database resources, the user must also hold DBADMIN authority on the dictionary to which the session is connected when the statement is issued, if DB security is enabled for the dictionary.

USE Privilege

The following table explains the type of access that the USE privilege authorizes:

Resource

What USE privilege permits the user to do

DB

Associate a secured segment with an SQL schema

NSCH (1)

Associate a secured non-SQL-defined schema with an SQL schema

AREA

Create an SQL table or index in a secured area

DMCL

Punch the load module of a secured DMCL and execute utilities on the journal files defined by that DMCL

DBTABLE

Punch the load module of a secured database name table and associate a database name table with a DMCL.

(1) NSCH is a common database resource in the sense that it represents a non-SQL-defined entity and is meaningful in SQL processing.

DBAREAD and DBAWRITE Privileges

The DBAREAD and DBAWRITE privileges are granted to permit users to execute utility functions on areas of the database. DBAREAD privilege allows the user to execute utilities that require read-only access to an area. DBAWRITE privilege allows the user to execute utilities that require read-write access to an area.