Creating Views

Comparing DB2 and CA Top Secret Option for DB2 › Creating Views

Creating Views

The following table compares creating views in native DB2 to creating views in CA Top Secret Option for DB2.

Native DB2 Creating Views	CA Top Secret Option for DB2 Creating Views
Views are unique entities in DB2 because they are created from other tables or views. Thus, they have unique requirements. To create a view, a DB2 user needs the SELECT authority on the base table or view. When the view is created, DB2 automatically grants the creator of the view only the privileges that he holds on the base tables or views. Additional privileges on the view must be granted later by an authorized user. DB2 allows users to create views only if the qualifier of the new view is one of their process IDs. These process IDs can differ depending on whether the view is created through static or dynamic SQL. To drop a view, DB2 allows users who are owners of the view to drop it.	Authorizing the creation of a view in CA Top Secret Option for DB2 is a special process. Like DB2, CA Top Secret Option for DB2 requires that the creator of the view have SELECT authority on the base tables or views. Unlike DB2, CA Top Secret Option for DB2 does not ensure that the qualifier of the view is one of the creator's process IDs. Instead, CA Top Secret Option for DB2 checks a CA Top Secret Option for DB2 special privilege called CREATE. CREATE is a DB2TABLE access control for the view and is checked when a user creates or drops a view. If the CREATE access control for the view was not permitted to the user or any of his profiles, CA Top Secret Option for DB2 denies the request. If the CREATE access control for the view was permitted, CA Top Secret Option for DB2 performs additional security checks. These security checks prevent a user from creating a view that exceeds his authority on the base tables or views. In the first check, CA Top Secret Option for DB2 determines if the user’s primary ID can administer the INSERT, UPDATE, or DELETE access controls for the view. If the user can change any of these access controls for the view, CA Top Secret Option for DB2 then checks to see if the user can administer the same access control associated with the base tables and views.
	If the user can administer the view access control but not the base table or view, CA Top Secret Option for DB2 reports an administration violation (DRC 124) against the base table or view and prevents the creation of the new view. CA Top Secret Option for DB2 performs additional security checks for each of the privileges that a user can hold on the view being created. If, for any reason, one of the user's primary or secondary IDs has an access privilege on the view being created that he does not have on the base tables or views, CA Top Secret Option for DB2 fails the request to create the view and reports the violation. The SQL violation returned to the user states that the user has no authority to create the view. The CA Top Secret Audit/Tracking File, however, shows the violation against the base table or view for the exact privilege that failed.

Native DB2
Creating Views

CA Top Secret Option for DB2
Creating Views

Views are unique entities in DB2 because they are created from other tables or views. Thus, they have unique requirements. To create a view, a DB2 user needs the SELECT authority on the base table or view. When the view is created, DB2 automatically grants the creator of the view only the privileges that he holds on the base tables or views. Additional privileges on the view must be granted later by an authorized user.

DB2 allows users to create views only if the qualifier of the new view is one of their process IDs. These process IDs can differ depending on whether the view is created through static or dynamic SQL.

To drop a view, DB2 allows users who are owners of the view to drop it.

Authorizing the creation of a view in CA Top Secret Option for DB2 is a special process. Like DB2, CA Top Secret Option for DB2 requires that the creator of the view have SELECT authority on the base tables or views. Unlike DB2, CA Top Secret Option for DB2 does not ensure that the qualifier of the view is one of the creator's process IDs. Instead, CA Top Secret Option for DB2 checks a CA Top Secret Option for DB2 special privilege called CREATE. CREATE is a DB2TABLE access control for the view and is checked when a user creates or drops a view. If the CREATE access control for the view was not permitted to the user or any of his profiles, CA Top Secret Option for DB2 denies the request.

If the CREATE access control for the view was permitted, CA Top Secret Option for DB2 performs additional security checks. These security checks prevent a user from creating a view that exceeds his authority on the base tables or views.

In the first check, CA Top Secret Option for DB2 determines if the user’s primary ID can administer the INSERT, UPDATE, or DELETE access controls for the view. If the user can change any of these access controls for the view, CA Top Secret Option for DB2 then checks to see if the user can administer the same access control associated with the base tables and views.

If the user can administer the view access control but not the base table or view, CA Top Secret Option for DB2 reports an administration violation (DRC 124) against the base table or view and prevents the creation of the new view.

CA Top Secret Option for DB2 performs additional security checks for each of the privileges that a user can hold on the view being created. If, for any reason, one of the user's primary or secondary IDs has an access privilege on the view being created that he does not have on the base tables or views, CA Top Secret Option for DB2 fails the request to create the view and reports the violation. The SQL violation returned to the user states that the user has no authority to create the view.

The CA Top Secret Audit/Tracking File, however, shows the violation against the base table or view for the exact privilege that failed.

The following is an illustration of the CREATE View process.