- IBM DB2 9.7 Advanced Application Developer Cookbook
- Sanjay Kumar Mohankumar Saraswatipura
- 647字
- 2021-08-20 15:42:21
Granting and revoking object privileges
Privileges are the next level of security mechanism that can be implemented at database object level. A privilege determines the permission of performing a task on an object. A user who creates an object in the database implicitly acquires all the privileges associated with that object. Privileges can be divided into three categories:
- Individual object privileges: Such privileges allow a user to perform different actions on the object. These privileges don't allow a user to grant or revoke similar privileges to or from other users. Example of such privileges can be:
SELECT, EXECUTE, UPDATE, and so on. Only a user withCONTROL, ACCESSCTRL, orSECADMcan grant these privileges to another user. - CONTROL privilege: This privilege allows users to grant and revoke privileges to or from other users. The
CONTROLprivilege is implicitly granted to the creator on the newly-created tables, indexes, and packages. It is implicitly granted on newly-created views if the object owner has theCONTROLprivilege on all the tables, views, and nicknames referenced by the view definition. A user withCONTROLprivilege can extend the ability to grant and revoke privileges to and from other users by usingWITH GRANT OPTIONin theGRANTcommand. - Privileges for objects inside a package or routine: Once a package is created, only the
EXECUTEprivilege on that package is needed for a user to execute this package. Users need not have any other privilege on objects referenced in the package or routine. If the package or routine contains static SQL, then the privileges of the package or routine owner are considered at the time of execution. If it contains dynamic SQL, then it depends on theDYNAMMICRULES BINDoption of the package.
Getting ready
To grant privileges on any object, we need to have SYSADM, DBADM, or CONTROL privilege on that object, or the user must hold that privilege with WITH GRANT OPTION.
Also, to grant CONTROL privilege, we need to have the SYSADM or DBADM privilege.
How to do it...
Let's see how to grant and revoke object privileges to and from users, roles, or groups.
GRANT <privilege> ON <object_type> <object_name> to USER/ROLE/GROUP <name>
GRANT SELECT ON TABLE TEST.EMPLOYEE SAMPLE TO USER USER_DEV
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE TEST.EMPLOYEE TO USER USER_DEV
REVOKE the <privilege> ON <object_type> <object_name> FROM <user/group/role name>
- For example, to revoke
SELECT privilegeon theTEST.EMPLOYEEtable from user user_dev, use the following command:
REVOKE SELECT ON TABLE TEST.EMPLOYEE SAMPLE FROM USER USER_DEV
- Similar to
GRANT, REVOKEcan also include multiple privileges at a time. For example, to revokeSELECT, INSERT, UPDATE, andDELETEprivileges on theTEST.EMPLOYEEtable from the user 'user_dev', use the following command:
REVOKE SELECT, INSERT, UPDATE, DELETE FROM USER USER_DEV
There's more…
We can use the SYSIBMADM.PRIVILEGES administrative view to retrieve the privileges on any database object. For example, to view the privileges on the EMPLOYEE table, we can use the following query:
SELECT CHAR(AUTHID, 10) AUTHID, AUTHIDTYPE, CHAR(PRIVILEGE, 10) PRIVILEGE, CHAR(OBJECTNAME, 10) OBJECTNAME, CHAR(OBJECTSCHEMA, 10) OBJECTSCHEMA, CHAR(OBJECTTYPE, 10) OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE OBJECTNAME='EMPLOYEE';
The following table summarizes all privileges available for different types of database objects:
- Oracle Exadata性能優(yōu)化
- 基于免疫進化的算法及應(yīng)用研究
- INSTANT CakePHP Starter
- Visual C#通用范例開發(fā)金典
- Hands-On Full Stack Development with Go
- Visual Basic程序設(shè)計上機實驗教程
- 一本書講透Java線程:原理與實踐
- Java Web開發(fā)實例大全(基礎(chǔ)卷) (軟件工程師開發(fā)大系)
- 一步一步跟我學(xué)Scratch3.0案例
- QlikView Unlocked
- Learning Bootstrap 4(Second Edition)
- Microsoft HoloLens By Example
- Elasticsearch Blueprints
- VMware vSphere 5.5 Cookbook
- Learning D3.js 5 Mapping(Second Edition)