ibm-information-center/dist/eclipse/plugins/i5OS.ic.db2_5.4.0.1/rbafzmstauthown.htm

111 lines
6.9 KiB
HTML

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-19" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="keywords" content="description, authorization, privileges,
administrative authority, to create in a schema, ownership" />
<title>Authorization, privileges and object ownership</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="authown"></a>
<h2 id="authown"><a href="rbafzmst02.htm#ToC_43">Authorization, privileges and object ownership</a></h2><a id="idx112" name="idx112"></a><a id="idx113" name="idx113"></a>
<p>Users (identified by an authorization ID) can successfully execute SQL
statements only if they have the authority to perform the specified function.
To create a table, a user must be authorized to create tables; to alter a
table, a user must be authorized to alter the table; and so forth.</p>
<p>There are two forms of authorization:</p>
<dl><a id="idx114" name="idx114"></a>
<dt class="bold">administrative authority</dt>
<dd>The person or persons holding <span class="italic">administrative authority</span> are charged with the task of controlling the database manager and are responsible
for the safety and integrity of the data. Those with <span class="italic">administrative
authority</span> implicitly have all privileges on all objects and control who
will have access to the database manager and the extent of this access.
<p>The security
officer and all users with *ALLOBJ authority have administrative authority.</p>
</dd><a id="idx115" name="idx115"></a>
<dt class="bold">privileges</dt>
<dd><span class="italic">Privileges</span> are those activities that a user
is allowed to perform. Authorized users can create objects, have access to
objects they own, and can pass on <span class="italic">privileges</span> on their
own objects to other users by using the GRANT statement.
<p>Privileges may
be granted to specific users or to PUBLIC. PUBLIC specifies that a privilege
is granted to a set of users (authorization IDs). The set consists of those
users (including future users) that do not have privately granted privileges
on the table or view. This affects private grants. For example, if SELECT
has been granted to PUBLIC, and UPDATE is then granted to HERNANDZ, this private
grant prevents HERNANDZ from having the SELECT privilege.</p>
<p>The REVOKE
statement can be used to REVOKE previously granted <span class="italic">privileges</span>. A revoke of a privilege from an authorization ID revokes the privilege
granted by all authorization IDs. Revoking a privilege from an authorization
ID will not revoke that same privilege from any other authorization IDs that
were granted the privilege by that authorization ID.</p>
</dd>
</dl><a id="idx116" name="idx116"></a>
<a name="createin"></a>
<p id="createin">When
an object is created, the authorization ID of the statement must have the
privilege to create objects in the implicitly or explicitly specified schema.
The authorization ID of a statement has the privilege to create objects in
the schema if:</p>
<ul>
<li>it is the owner of the schema, or</li>
<li>it has *EXECUTE and *ADD to the schema.</li></ul><a id="idx117" name="idx117"></a><a id="idx118" name="idx118"></a>
<p>When an object is created, one authorization ID is assigned <span class="italic">ownership</span> of the object. Ownership gives the user complete control over
the object, including the privilege to drop the object. The privileges on
the object can be granted by the owner, and can be revoked from the owner.
In this case, the owner may temporarily be unable to perform an operation
that requires that privilege. Because he is the owner, however, he is always
allowed to grant the privilege back to himself.</p>
<p>When an object is created:</p>
<ul>
<li>If SQL names were specified, the <span class="italic">owner</span> of
the object is the user profile with the same name as the schema into which
the object is created, if a user profile with that name exists. Otherwise,
the <span class="italic">owner</span> of the object is the user profile or group
user profile of the job executing the statement.</li>
<li>If system names were specified, the <span class="italic">owner</span> of the
object is the user profile or group user profile of the job executing the
statement.</li></ul>
<p>Authority granted to *PUBLIC on SQL objects depends on the naming convention
that is used at the time of object creation. If *SYS naming convention is
used, *PUBLIC acquires the create authority (CRTAUT) of the library into which
the object was created. If *SQL naming convention is used, *PUBLIC acquires
*EXCLUDE authority.</p>
<p>In the Authorization sections of this book, it is assumed that the owner
of an object has not had any privileges revoked from that object since it
was initially created. If the object is a view, it is also assumed that the
owner of the view has not had the system authority *READ revoked from any
of the tables or views that this view is directly or indirectly dependent
on. The owner has system authority *READ for all tables and views referenced
in the view definition, and if a view is referenced, all tables and views
referenced in its definition, and so forth. For more information about authority
and privileges, see the book <a href="../books/sc415302.pdf" target="_blank">iSeries Security
Reference</a>
<img src="wbpdf.gif" alt="Link to PDF" />.</p>
<hr /><br />
[ <a href="#Top_Of_Page">Top of Page</a> | <a href="rbafzmstsequences.htm">Previous Page</a> | <a href="rbafzmstcatalogdef.htm">Next Page</a> | <a href="rbafzmst02.htm#wq1">Contents</a> |
<a href="rbafzmstindex.htm#index">Index</a> ]
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>