ibm-information-center/dist/eclipse/plugins/i5OS.ic.sqlp_5.4.0.1/rbafysecurity.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Security for SQL objects" />
<meta name="abstract" content="All objects on the server, including SQL objects, are managed by the system security function." />
<meta name="description" content="All objects on the server, including SQL objects, are managed by the system security function." />
<meta name="DC.subject" content="security, public authority, Revoke Object Authority (RVKOBJAUT) command, Grant Object Authority (GRTOBJAUT) command, command (CL), Revoke Object Authority (RVKOBJAUT), Grant Object Authority (GRTOBJAUT), RVKOBJAUT (Revoke Object Authority), GRTOBJAUT (Grant Object Authority)" />
<meta name="keywords" content="security, public authority, Revoke Object Authority (RVKOBJAUT) command, Grant Object Authority (GRTOBJAUT) command, command (CL), Revoke Object Authority (RVKOBJAUT), Grant Object Authority (GRTOBJAUT), RVKOBJAUT (Revoke Object Authority), GRTOBJAUT (Grant Object Authority)" />
<meta name="DC.Relation" scheme="URI" content="rbafyprotect.htm" />
<meta name="DC.Relation" scheme="URI" content="rbafyauthid.htm" />
<meta name="DC.Relation" scheme="URI" content="rbafyviewex2.htm" />
<meta name="DC.Relation" scheme="URI" content="rbafyaudit.htm" />
<meta name="DC.Relation" scheme="URI" content="../books/sc415302.pdf" />
<meta name="DC.Relation" scheme="URI" content="../db2/rbafzmstgnt.htm" />
<meta name="DC.Relation" scheme="URI" content="../db2/rbafzmstrevoket.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbafysecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security for SQL objects</title>
</head>
<body id="rbafysecurity"><a name="rbafysecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security for SQL objects</h1>
<div><p>All objects on the server, including SQL objects, are managed by
the system security function.</p>
<div class="section"><p>Users may authorize SQL objects through either the SQL GRANT and
REVOKE statements or the CL commands Edit Object Authority (EDTOBJAUT), Grant
Object Authority (GRTOBJAUT), and Revoke Object Authority (RVKOBJAUT). </p>
</div>
<div class="section"><p>The SQL GRANT and REVOKE statements operate on SQL functions,
SQL packages, SQL procedures, distinct types, sequences, tables,
views, and the individual columns of tables and views. Furthermore, SQL GRANT
and REVOKE statements only grant private and public authorities. In some cases,
it is necessary to use EDTOBJAUT, GRTOBJAUT, and RVKOBJAUT to authorize users
to other objects, such as commands and programs.</p>
</div>
<div class="section"><p>The authority checked for SQL statements depends on whether the
statement is static, dynamic, or being run interactively.</p>
</div>
<div class="section"><p>For static SQL statements:</p>
<ul><li>If the USRPRF value is *USER, the authority to run the SQL statement locally
is checked using the user profile of the user running the program. The authority
to run the SQL statement remotely is checked using the user profile at the
application server. *USER is the default for system (*SYS) naming.</li>
<li>If the USRPRF value is *OWNER, the authority to run the SQL statement
locally is checked using the user profiles of the user running the program
and of the owner of the program. The authority to run the SQL statement remotely
is checked using the user profiles of the application server job and the owner
of the SQL package. The higher authority is the authority that is used. *OWNER
is the default for SQL (*SQL) naming.</li>
</ul>
</div>
<div class="section"><p>For dynamic SQL statements:</p>
<ul><li>If the USRPRF value is *USER, the authority to run the SQL statement locally
is checked using the user profile of the person running the program. The authority
to run the SQL statement remotely is checked using the user profile of the
application server job.</li>
<li>If the USRPRF value is *OWNER and DYNUSRPRF is *USER, the authority to
run the SQL statement locally is checked using the user profile of the person
running the program. The authority to run the SQL statement remotely is checked
using the user profile of the application server job.</li>
<li>If the USRPRF value is *OWNER and DYNUSRPRF is *OWNER, the authority to
run the SQL statement locally is checked using the user profiles of the user
running the program and the owner of the program. The authority to run the
SQL statement remotely is checked using the user profiles of the application
server job and the owner of the SQL package. The highest authority is the
authority that is used. Because of security concerns, you should use the *OWNER
parameter value for DYNUSRPRF carefully. This option gives the access authority
of the owner program or package to those who run the program.</li>
</ul>
</div>
<div class="section"><p>For interactive SQL statements, authority is checked against the
authority of the person processing the statement. Adopted authority is not
used for interactive SQL statements.</p>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rbafyauthid.htm">Authorization ID</a></strong><br />
The authorization ID identifies a unique user and is a user profile object on the server. Authorization IDs can be created using the Create User Profile (CRTUSRPRF) command.</li>
<li class="ulchildlink"><strong><a href="rbafyviewex2.htm">Views</a></strong><br />
A view can prevent unauthorized users from having access to sensitive data.</li>
<li class="ulchildlink"><strong><a href="rbafyaudit.htm">Auditing</a></strong><br />
<span class="keyword">DB2<sup>®</sup> UDB for iSeries™</span> is designed
to comply with the U.S. government C2 security level. A key feature of that
level is the ability to audit actions on the system. </li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbafyprotect.htm" title="This topic describes the security plan for protecting SQL data from unauthorized users and the methods for ensuring data integrity.">Data protection</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../books/sc415302.pdf" target="_blank">iSeries Security Reference PDF</a></div>
<div><a href="../db2/rbafzmstgnt.htm">GRANT (Table or View Privileges)</a></div>
<div><a href="../db2/rbafzmstrevoket.htm">REVOKE (Table or View Privileges)</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="reference" />`
			`<meta name="DC.Title" content="Security for SQL objects" />`
			`<meta name="abstract" content="All objects on the server, including SQL objects, are managed by the system security function." />`
			`<meta name="description" content="All objects on the server, including SQL objects, are managed by the system security function." />`
			`<meta name="DC.subject" content="security, public authority, Revoke Object Authority (RVKOBJAUT) command, Grant Object Authority (GRTOBJAUT) command, command (CL), Revoke Object Authority (RVKOBJAUT), Grant Object Authority (GRTOBJAUT), RVKOBJAUT (Revoke Object Authority), GRTOBJAUT (Grant Object Authority)" />`
			`<meta name="keywords" content="security, public authority, Revoke Object Authority (RVKOBJAUT) command, Grant Object Authority (GRTOBJAUT) command, command (CL), Revoke Object Authority (RVKOBJAUT), Grant Object Authority (GRTOBJAUT), RVKOBJAUT (Revoke Object Authority), GRTOBJAUT (Grant Object Authority)" />`
			`<meta name="DC.Relation" scheme="URI" content="rbafyprotect.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rbafyauthid.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rbafyviewex2.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rbafyaudit.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../books/sc415302.pdf" />`
			`<meta name="DC.Relation" scheme="URI" content="../db2/rbafzmstgnt.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../db2/rbafzmstrevoket.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rbafysecurity" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Security for SQL objects</title>`
			`</head>`
			`<body id="rbafysecurity"><a name="rbafysecurity"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Security for SQL objects</h1>`
			`<div><p>All objects on the server, including SQL objects, are managed by`
			`the system security function.</p>`
			`<div class="section"><p>Users may authorize SQL objects through either the SQL GRANT and`
			`REVOKE statements or the CL commands Edit Object Authority (EDTOBJAUT), Grant`
			`Object Authority (GRTOBJAUT), and Revoke Object Authority (RVKOBJAUT). </p>`
			`</div>`
			`<div class="section"><p>The SQL GRANT and REVOKE statements operate on SQL functions,`
			`SQL packages, SQL procedures, distinct types, sequences, tables,`
			`views, and the individual columns of tables and views. Furthermore, SQL GRANT`
			`and REVOKE statements only grant private and public authorities. In some cases,`
			`it is necessary to use EDTOBJAUT, GRTOBJAUT, and RVKOBJAUT to authorize users`
			`to other objects, such as commands and programs.</p>`
			`</div>`
			`<div class="section"><p>The authority checked for SQL statements depends on whether the`
			`statement is static, dynamic, or being run interactively.</p>`
			`</div>`
			`<div class="section"><p>For static SQL statements:</p>`
			`<ul><li>If the USRPRF value is *USER, the authority to run the SQL statement locally`
			`is checked using the user profile of the user running the program. The authority`
			`to run the SQL statement remotely is checked using the user profile at the`
			`application server. USER is the default for system (SYS) naming.</li>`
			`<li>If the USRPRF value is *OWNER, the authority to run the SQL statement`
			`locally is checked using the user profiles of the user running the program`
			`and of the owner of the program. The authority to run the SQL statement remotely`
			`is checked using the user profiles of the application server job and the owner`
			`of the SQL package. The higher authority is the authority that is used. *OWNER`
			`is the default for SQL (*SQL) naming.</li>`
			`</ul>`
			`</div>`
			`<div class="section"><p>For dynamic SQL statements:</p>`
			`<ul><li>If the USRPRF value is *USER, the authority to run the SQL statement locally`
			`is checked using the user profile of the person running the program. The authority`
			`to run the SQL statement remotely is checked using the user profile of the`
			`application server job.</li>`
			`<li>If the USRPRF value is OWNER and DYNUSRPRF is USER, the authority to`
			`run the SQL statement locally is checked using the user profile of the person`
			`running the program. The authority to run the SQL statement remotely is checked`
			`using the user profile of the application server job.</li>`
			`<li>If the USRPRF value is OWNER and DYNUSRPRF is OWNER, the authority to`
			`run the SQL statement locally is checked using the user profiles of the user`
			`running the program and the owner of the program. The authority to run the`
			`SQL statement remotely is checked using the user profiles of the application`
			`server job and the owner of the SQL package. The highest authority is the`
			`authority that is used. Because of security concerns, you should use the *OWNER`
			`parameter value for DYNUSRPRF carefully. This option gives the access authority`
			`of the owner program or package to those who run the program.</li>`
			`</ul>`
			`</div>`
			`<div class="section"><p>For interactive SQL statements, authority is checked against the`
			`authority of the person processing the statement. Adopted authority is not`
			`used for interactive SQL statements.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<ul class="ullinks">`
			`<li class="ulchildlink"><strong><a href="rbafyauthid.htm">Authorization ID</a></strong><br />`
			`The authorization ID identifies a unique user and is a user profile object on the server. Authorization IDs can be created using the Create User Profile (CRTUSRPRF) command.</li>`
			`<li class="ulchildlink"><strong><a href="rbafyviewex2.htm">Views</a></strong><br />`
			`A view can prevent unauthorized users from having access to sensitive data.</li>`
			`<li class="ulchildlink"><strong><a href="rbafyaudit.htm">Auditing</a></strong><br />`
			`<span class="keyword">DB2<sup>®</sup> UDB for iSeries™</span> is designed`
			`to comply with the U.S. government C2 security level. A key feature of that`
			`level is the ability to audit actions on the system. </li>`
			`</ul>`

			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rbafyprotect.htm" title="This topic describes the security plan for protecting SQL data from unauthorized users and the methods for ensuring data integrity.">Data protection</a></div>`
			`</div>`
			`<div class="relinfo"><strong>Related information</strong><br />`
			`<div><a href="../books/sc415302.pdf" target="_blank">iSeries Security Reference PDF</a></div>`
			`<div><a href="../db2/rbafzmstgnt.htm">GRANT (Table or View Privileges)</a></div>`
			`<div><a href="../db2/rbafzmstrevoket.htm">REVOKE (Table or View Privileges)</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`