109 lines
6.9 KiB
HTML
109 lines
6.9 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
|
<!-- US Government Users Restricted Rights -->
|
||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-19" />
|
||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
|
<meta name="security" content="public" />
|
||
|
|
<meta name="Robots" content="index,follow"/>
|
||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
|
<meta name="keywords" content="description, authorization ID,
|
||
|
|
run-time authorization ID, authorization-name" />
|
||
|
|
<title>Authorization IDs and authorization names</title>
|
||
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
|
||
|
|
|
||
|
|
<a name="ch2auth"></a>
|
||
|
|
<h2 id="ch2auth"><a href="rbafzmst02.htm#ToC_95">Authorization IDs and authorization names</a></h2><a id="idx301" name="idx301"></a>
|
||
|
|
<p>An <span class="italic">authorization ID</span> is a character string that
|
||
|
|
is obtained by the database manager when a connection is established between
|
||
|
|
the database manager and either an application process or a program preparation
|
||
|
|
process. It designates a set of privileges. It may also designate a user or
|
||
|
|
a group of users, but this property is not controlled by the database manager.</p>
|
||
|
|
<p>After a connection has been established, the authorization ID
|
||
|
|
may be changed using the SET SESSION AUTHORIZATION statement.</p>
|
||
|
|
<p>Authorization ID's are used by the database manager to provide authorization
|
||
|
|
checking of SQL statements.</p>
|
||
|
|
<p>An authorization ID applies to every SQL statement. The authorization ID
|
||
|
|
that is used for authorization checking for a static SQL statement depends
|
||
|
|
on the USRPRF value specified on the precompiler command:</p>
|
||
|
|
<ul>
|
||
|
|
<li>If USRPRF(*OWNER) is specified, or if USRPRF(*NAMING) is specified and
|
||
|
|
SQL naming mode is used, the authorization ID of the statement is the owner
|
||
|
|
of the non-distributed SQL program. For distributed SQL programs, it is the
|
||
|
|
owner of the SQL package.</li>
|
||
|
|
<li>If USRPRF(*USER) is specified, or if USRPRF(*NAMING) is specified and
|
||
|
|
system naming mode is used, the authorization ID of the statement is the authorization
|
||
|
|
ID of the user running the non-distributed SQL program. For distributed SQL
|
||
|
|
programs, it is the authorization ID of the user at the current server.</li></ul>
|
||
|
|
<p>The authorization ID that is used for authorization checking for a dynamic
|
||
|
|
SQL statement also depends on where and how the statement is executed: </p>
|
||
|
|
<ul>
|
||
|
|
<li>If the statement is prepared and executed from a non-distributed program:
|
||
|
|
<ul>
|
||
|
|
<li>If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
|
||
|
|
program, the authorization ID that applies is the ID of the user running the
|
||
|
|
non-distributed program. This is called the <span class="italic">run-time authorization
|
||
|
|
ID</span>.</li>
|
||
|
|
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
|
||
|
|
program, the authorization ID that applies is the ID of the user running the
|
||
|
|
non-distributed program.</li>
|
||
|
|
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
|
||
|
|
program, the authorization ID that applies is the ID of the owner of the non-distributed
|
||
|
|
program.</li></ul></li>
|
||
|
|
<li>If the statement is prepared and executed from a distributed program:
|
||
|
|
<ul>
|
||
|
|
<li>If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
|
||
|
|
SQL package, the authorization ID that applies is the ID of the user running
|
||
|
|
the SQL package at the current server. This is also called the run-time authorization
|
||
|
|
ID.</li>
|
||
|
|
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
|
||
|
|
SQL package, the authorization ID that applies is the ID of the user running
|
||
|
|
the SQL package at the current server.</li>
|
||
|
|
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
|
||
|
|
SQL package, the authorization ID that applies is the ID of the owner of the
|
||
|
|
SQL package at the current server.</li></ul></li>
|
||
|
|
<li>If the statement is issued interactively, the authorization ID that applies
|
||
|
|
is the ID of the user that issued the Start SQL (STRSQL) command.</li>
|
||
|
|
<li>If the statement is executed from the RUNSQLSTM command, the authorization
|
||
|
|
ID that applies is the ID of the user that issued the RUNSQLSTM command.</li>
|
||
|
|
<li>If the statement is executed from REXX, the authorization ID that applies
|
||
|
|
is the ID of the user that issued the STRREXPRC command.</li></ul><a id="idx302" name="idx302"></a><a id="idx303" name="idx303"></a>
|
||
|
|
<p>On i5/OS, the run-time authorization ID is the user profile of the job.</p>
|
||
|
|
<p>An <span class="italic">authorization-name</span> specified in an SQL statement
|
||
|
|
should not be confused with the authorization ID of the statement. An authorization-name
|
||
|
|
is an identifier that is used in GRANT and REVOKE statements to designate
|
||
|
|
a target of the grant or revoke. The premise of a grant of privileges to <span class="italic">X</span> is that <span class="italic">X</span> will subsequently
|
||
|
|
be the authorization ID of statements which require those privileges. A group
|
||
|
|
user profile can also be used when checking authority for an SQL statement.
|
||
|
|
For information on group user profiles, see the book <a href="../books/sc415302.pdf" target="_blank">iSeries Security Reference</a>
|
||
|
|
<img src="wbpdf.gif" alt="Link to PDF" />.</p>
|
||
|
|
<a name="wq74"></a>
|
||
|
|
<h3 id="wq74"><a href="rbafzmst02.htm#ToC_96">Example</a></h3>
|
||
|
|
<p>Assume SMITH is your user ID; then SMITH is the authorization ID when you
|
||
|
|
execute the following statement interactively: </p>
|
||
|
|
<pre class="xmp"> <span class="bold">GRANT SELECT ON</span> TDEPT <span class="bold">TO</span> KEENE</pre><p class="indatacontent">SMITH is the authorization
|
||
|
|
ID of the statement. Thus, the authority to execute the statement is checked
|
||
|
|
against SMITH.</p>
|
||
|
|
<p>KEENE is an authorization-name specified in the statement. KEENE is given
|
||
|
|
the SELECT privilege on SMITH.TDEPT.</p>
|
||
|
|
<hr /><br />
|
||
|
|
[ <a href="#Top_Of_Page">Top of Page</a> | <a href="rbafzmstch2alias.htm">Previous Page</a> | <a href="rbafzmstch2data.htm">Next Page</a> | <a href="rbafzmst02.htm#wq1">Contents</a> |
|
||
|
|
<a href="rbafzmstindex.htm#index">Index</a> ]
|
||
|
|
|
||
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
|
</body>
|
||
|
|
</html>
|