ibm-information-center/dist/eclipse/plugins/i5OS.ic.db2_5.4.0.1/rbafzmstch2auth.htm

109 lines
6.9 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-19" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="keywords" content="description, authorization ID,
run-time authorization ID, authorization-name" />
<title>Authorization IDs and authorization names</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="ch2auth"></a>
<h2 id="ch2auth"><a href="rbafzmst02.htm#ToC_95">Authorization IDs and authorization names</a></h2><a id="idx301" name="idx301"></a>
<p>An <span class="italic">authorization ID</span> is a character string that
is obtained by the database manager when a connection is established between
the database manager and either an application process or a program preparation
process. It designates a set of privileges. It may also designate a user or
a group of users, but this property is not controlled by the database manager.</p>
<p>After a connection has been established, the authorization ID
may be changed using the SET SESSION AUTHORIZATION statement.</p>
<p>Authorization ID's are used by the database manager to provide authorization
checking of SQL statements.</p>
<p>An authorization ID applies to every SQL statement. The authorization ID
that is used for authorization checking for a static SQL statement depends
on the USRPRF value specified on the precompiler command:</p>
<ul>
<li>If USRPRF(*OWNER) is specified, or if USRPRF(*NAMING) is specified and
SQL naming mode is used, the authorization ID of the statement is the owner
of the non-distributed SQL program. For distributed SQL programs, it is the
owner of the SQL package.</li>
<li>If USRPRF(*USER) is specified, or if USRPRF(*NAMING) is specified and
system naming mode is used, the authorization ID of the statement is the authorization
ID of the user running the non-distributed SQL program. For distributed SQL
programs, it is the authorization ID of the user at the current server.</li></ul>
<p>The authorization ID that is used for authorization checking for a dynamic
SQL statement also depends on where and how the statement is executed: </p>
<ul>
<li>If the statement is prepared and executed from a non-distributed program:
<ul>
<li>If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program. This is called the <span class="italic">run-time authorization
ID</span>.</li>
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program.</li>
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
program, the authorization ID that applies is the ID of the owner of the non-distributed
program.</li></ul></li>
<li>If the statement is prepared and executed from a distributed program:
<ul>
<li>If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
SQL package, the authorization ID that applies is the ID of the user running
the SQL package at the current server. This is also called the run-time authorization
ID.</li>
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
SQL package, the authorization ID that applies is the ID of the user running
the SQL package at the current server.</li>
<li>If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
SQL package, the authorization ID that applies is the ID of the owner of the
SQL package at the current server.</li></ul></li>
<li>If the statement is issued interactively, the authorization ID that applies
is the ID of the user that issued the Start SQL (STRSQL) command.</li>
<li>If the statement is executed from the RUNSQLSTM command, the authorization
ID that applies is the ID of the user that issued the RUNSQLSTM command.</li>
<li>If the statement is executed from REXX, the authorization ID that applies
is the ID of the user that issued the STRREXPRC command.</li></ul><a id="idx302" name="idx302"></a><a id="idx303" name="idx303"></a>
<p>On i5/OS, the run-time authorization ID is the user profile of the job.</p>
<p>An <span class="italic">authorization-name</span> specified in an SQL statement
should not be confused with the authorization ID of the statement. An authorization-name
is an identifier that is used in GRANT and REVOKE statements to designate
a target of the grant or revoke. The premise of a grant of privileges to <span class="italic">X</span> is that <span class="italic">X</span> will subsequently
be the authorization ID of statements which require those privileges. A group
user profile can also be used when checking authority for an SQL statement.
For information on group user profiles, see the book <a href="../books/sc415302.pdf" target="_blank">iSeries Security Reference</a>
<img src="wbpdf.gif" alt="Link to PDF" />.</p>
<a name="wq74"></a>
<h3 id="wq74"><a href="rbafzmst02.htm#ToC_96">Example</a></h3>
<p>Assume SMITH is your user ID; then SMITH is the authorization ID when you
execute the following statement interactively: </p>
<pre class="xmp"> <span class="bold">GRANT SELECT ON</span> TDEPT <span class="bold">TO</span> KEENE</pre><p class="indatacontent">SMITH is the authorization
ID of the statement. Thus, the authority to execute the statement is checked
against SMITH.</p>
<p>KEENE is an authorization-name specified in the statement. KEENE is given
the SELECT privilege on SMITH.TDEPT.</p>
<hr /><br />
[ <a href="#Top_Of_Page">Top of Page</a> | <a href="rbafzmstch2alias.htm">Previous Page</a> | <a href="rbafzmstch2data.htm">Next Page</a> | <a href="rbafzmst02.htm#wq1">Contents</a> |
<a href="rbafzmstindex.htm#index">Index</a> ]
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>