Previous Topic: Securing UsersNext Topic: Securing User Profiles

Securing Global ResourcesSecuring Groups

Securing Groups

About Groups

You define groups for administrative efficiency. You group users according to the privileges that they require. Then you grant the privileges to the group rather than to individual users.

If you create a group of 10 users, you can grant each user the same five privileges by issuing five GRANT statements to the group. You would issue 50 statements to accomplish the same task if you did not first create the group.

Until you secure the group resource, any user can maintain definitions of groups in the user catalog.

How to Secure Groups

To secure the groups internally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,
      RESTYPE=GROU,                                           X
      SECBY=INTERNAL                                          X

To secure the groups externally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,
      RESTYPE=GROU,                                           X
      SECBY=EXTERNAL,                                         X
      Additional parameters required

Note: For more information, see #SECRTT.

How to Define Groups

You define a group by specifying the users that comprise the group with the CREATE GROUP statement.

Note: A group cannot be a member of another group.

For example, this statement creates mis_group:

create group mis_group
  description 'Management Information Services'
  add user mis1, mis2, mis3, mis4, mis5;

Note: For more information about defining and maintaining group definitions, see the following sections:

Granting Privileges to a Group

When you grant privileges to a group, each member of the group is implicitly granted the specified privileges.

For example, this statement grants mis_group the privilege of retrieving data from SYSTEM tables:

grant select
  on table system.*
  to mis_group;

A member of a group can hold additional privileges as an individual user or as a member of a different group. For example, mis1 might hold an administrative privilege that other members of mis_group do not hold.

Dropping Users and Groups

When a user is dropped from a group, all privileges inherited from the group are implicitly revoked from the user.

When a group is dropped, all privileges granted to that group are automatically revoked.

Granting Definition Privileges on Groups

You can delegate the authority to define and maintain groups by granting definition privileges on groups. You can specify any combination of CREATE, ALTER, DROP, and DISPLAY privileges, or you can specify all definition privileges (DEFINE). You can specify WITH GRANT OPTION when you grant these privileges to allow the user to grant the same privileges to another user.

Note: For more information, see GRANT Definition Privileges.