Using CA IDMS Internal Security › CA IDMS Privileges › Granting and Revoking Privileges

Granting and Revoking Privileges

Absolute Authority of SYSADMIN

Once you have defined the authorization ID of the security administrator with SYSADMIN privilege and you have secured administration privileges, the privilege to create additional users in the CA IDMS security domain, and the privilege to grant those users privileges, must derive from the security administrator.

Applicability of Privileges

CA IDMS privileges are applicable to resources for which the security option is 'INTERNAL'. If the security option for a resource is 'OFF', a user can access the resource without holding a privilege. If the security option for a resource is 'EXTERNAL', the user's authority to access the resource is determined by the external security system.

Therefore, to use the system of CA IDMS privileges, you must ensure that the runtime security option for the resources to which privileges apply is 'INTERNAL'.

Granting privilege

You grant privileges with a GRANT statement. Implicit in each administration privilege is the authority to grant certain privileges:

• SYSADMIN can grant privileges on SYSADMIN, DCADMIN, DBADMIN, and on global resources.
• DCADMIN can grant privileges on DCADMIN and on system resources.
• DBADMIN can grant privileges on DBADMIN and on database resources.

A GRANT statement includes an ON parameter which specifies the resource to which the privileges apply and a TO parameter which specifies the users or groups to whom you are giving the privileges.

Note: For more information about GRANT statement syntax, see the following sections:

• Syntax for Securing Global Resources
• Syntax for Securing System Resources
• Syntax for Securing Database Resources

Duration of Privileges

A user holds privileges explicitly granted to the user until one of these actions occurs:

• The privileges are explicitly taken away by means of the REVOKE statement.
• The user is physically deleted from the user catalog.

A user implicitly holds privileges granted to a group to which the user belongs until one of these actions occurs:

• The user is dropped from the group.
• The privileges are revoked from the group.
• The group is dropped.

Revoking Privileges

Privileges are taken away with the REVOKE statement. A user who has the authority to grant a privilege also has the authority to revoke it.

A REVOKE statement includes an ON parameter which specifies the resource to which the privileges apply and a FROM parameter which specifies the users or groups from whom you are revoking the privileges.

Note: For more information about REVOKE statement syntax, see the following sections:

• Syntax for Securing Global Resources
• Syntax for Securing System Resources
• Syntax for Securing Database Resources

GRANT and REVOKE Example

The first statement gives a table access privilege to user PSD, and the second statement revokes the privilege:

grant select
  on table demoempl.employee
  to psd;

revoke select
  on table demoempl.employee
  from psd;