- IBM DB2 9.7 Advanced Application Developer Cookbook
- Sanjay Kumar Mohankumar Saraswatipura
- 647字
- 2021-08-20 15:42:21
Granting and revoking object privileges
Privileges are the next level of security mechanism that can be implemented at database object level. A privilege determines the permission of performing a task on an object. A user who creates an object in the database implicitly acquires all the privileges associated with that object. Privileges can be divided into three categories:
- Individual object privileges: Such privileges allow a user to perform different actions on the object. These privileges don't allow a user to grant or revoke similar privileges to or from other users. Example of such privileges can be:
SELECT, EXECUTE, UPDATE, and so on. Only a user withCONTROL, ACCESSCTRL, orSECADMcan grant these privileges to another user. - CONTROL privilege: This privilege allows users to grant and revoke privileges to or from other users. The
CONTROLprivilege is implicitly granted to the creator on the newly-created tables, indexes, and packages. It is implicitly granted on newly-created views if the object owner has theCONTROLprivilege on all the tables, views, and nicknames referenced by the view definition. A user withCONTROLprivilege can extend the ability to grant and revoke privileges to and from other users by usingWITH GRANT OPTIONin theGRANTcommand. - Privileges for objects inside a package or routine: Once a package is created, only the
EXECUTEprivilege on that package is needed for a user to execute this package. Users need not have any other privilege on objects referenced in the package or routine. If the package or routine contains static SQL, then the privileges of the package or routine owner are considered at the time of execution. If it contains dynamic SQL, then it depends on theDYNAMMICRULES BINDoption of the package.
Getting ready
To grant privileges on any object, we need to have SYSADM, DBADM, or CONTROL privilege on that object, or the user must hold that privilege with WITH GRANT OPTION.
Also, to grant CONTROL privilege, we need to have the SYSADM or DBADM privilege.
How to do it...
Let's see how to grant and revoke object privileges to and from users, roles, or groups.
GRANT <privilege> ON <object_type> <object_name> to USER/ROLE/GROUP <name>
GRANT SELECT ON TABLE TEST.EMPLOYEE SAMPLE TO USER USER_DEV
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE TEST.EMPLOYEE TO USER USER_DEV
REVOKE the <privilege> ON <object_type> <object_name> FROM <user/group/role name>
- For example, to revoke
SELECT privilegeon theTEST.EMPLOYEEtable from user user_dev, use the following command:
REVOKE SELECT ON TABLE TEST.EMPLOYEE SAMPLE FROM USER USER_DEV
- Similar to
GRANT, REVOKEcan also include multiple privileges at a time. For example, to revokeSELECT, INSERT, UPDATE, andDELETEprivileges on theTEST.EMPLOYEEtable from the user 'user_dev', use the following command:
REVOKE SELECT, INSERT, UPDATE, DELETE FROM USER USER_DEV
There's more…
We can use the SYSIBMADM.PRIVILEGES administrative view to retrieve the privileges on any database object. For example, to view the privileges on the EMPLOYEE table, we can use the following query:
SELECT CHAR(AUTHID, 10) AUTHID, AUTHIDTYPE, CHAR(PRIVILEGE, 10) PRIVILEGE, CHAR(OBJECTNAME, 10) OBJECTNAME, CHAR(OBJECTSCHEMA, 10) OBJECTSCHEMA, CHAR(OBJECTTYPE, 10) OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE OBJECTNAME='EMPLOYEE';
The following table summarizes all privileges available for different types of database objects:
- Implementing VMware Horizon 7(Second Edition)
- Microsoft Exchange Server PowerShell Cookbook(Third Edition)
- Serverless架構
- 算法訓練營:提高篇(全彩版)
- Mastering Apache Spark 2.x(Second Edition)
- 用戶體驗增長:數字化·智能化·綠色化
- Spring Boot進階:原理、實戰與面試題分析
- Cybersecurity Attacks:Red Team Strategies
- 一塊面包板玩轉Arduino編程
- Java零基礎實戰
- Android移動應用開發項目教程
- Apache Solr PHP Integration
- Software Development on the SAP HANA Platform
- Spring Data JPA從入門到精通
- MongoDB Cookbook