SQL Reference

GRANT (Table or View Privileges)

This form of the GRANT statement grants privileges on a table or view.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared.

Authorization

The privileges held by the authorization ID of the statement must include at least one of the following:

CONTROL privilege on the referenced table or view
The WITH GRANT OPTION for each identified privilege. If ALL is specified, the authorization ID must have some grantable privilege on the identified table or view.
SYSADM or DBADM authority.

To grant the CONTROL privilege, SYSADM or DBADM authority is required.

To grant privileges on catalog tables and views, either SYSADM or DBADM authority is required.

Syntax

>>-GRANT--------------------------------------------------------> .-PRIVILEGES--. >-----+-ALL--+-------------+----------------------------------------+> | .-,------------------------------------------------------. | | V (1) | | '----+-ALTER---------------------------------------------+--+-' +-CONTROL-------------------------------------------+ +-DELETE--------------------------------------------+ | (1) | +-INDEX---------------------------------------------+ +-INSERT--------------------------------------------+ | (1) | +-REFERENCES---------+----------------------------+-+ | | .-,--------------. | | | | V | | | | '-(-----column-name---+---)--' | +-SELECT--------------------------------------------+ '-UPDATE--+----------------------------+------------' | .-,--------------. | | V | | '-(-----column-name---+---)--' .-TABLE--. >----ON--+--------+---+-table-name-+----------------------------> '-view-name--' .-,------------------------------------. V | >----TO----+-+-------+---authorization-name--+--+---------------> | +-USER--+ | | '-GROUP-' | '-PUBLIC--------------------------' >----+-------------------+------------------------------------->< '-WITH GRANT OPTION-'

Notes:

ALTER, INDEX, and REFERENCES privileges are not applicable to
views.

Description

ALL or ALL PRIVILEGES

Grants all the appropriate privileges, except CONTROL, on the base table or view named in the ON clause.

If the authorization ID of the statement has CONTROL privilege on the table or view, or DBADM or SYSADM authority, then all the privileges applicable to the object (except CONTROL) are granted. Otherwise, the privileges granted are all those grantable privileges that the authorization ID of the statement has on the identified table or view.

If ALL is not specified, one or more of the keywords in the list of privileges must be specified.

ALTER

Grants the privilege to:

Add columns to a base table definition.
Create or drop a primary key or unique constraint on a base table. For more information on the authorization required to create or drop a primary key or a unique constraint, see ALTER TABLE.
Create or drop a foreign key on a base table.
The REFERENCES privilege on each column of the parent table is also required.
Create or drop a check constraint on a base table.
Create a trigger on a base table.
Add or change a comment on a base table or view.

CONTROL

Grants:

All of the appropriate privileges in the list, that is:

ALTER, CONTROL, DELETE, INSERT, INDEX, REFERENCES, SELECT, and UPDATE to base tables
CONTROL, DELETE, INSERT, SELECT, and UPDATE to views
The ability to grant the above privileges (except for CONTROL) to others.
The ability to drop the base table or view.
This ability cannot be extended to others on the basis of holding CONTROL privilege. The only way that it can be extended is by granting the CONTROL privilege itself and that can only be done by someone with SYSADM or DBADM authority.
The ability to execute the RUNSTATS utility on the table and indexes. See the Command Reference for information on RUNSTATS.
The ability to issue set constraints on the base table or summary table.

The definer of a base table or summary table automatically receives the CONTROL privilege.

The definer of a view automatically receives the CONTROL privilege if the definer holds the CONTROL privilege on all tables and views identified in the fullselect.

DELETE

Grants the privilege to delete rows from the table or updatable view.

INDEX

Grants the privilege to create an index on the table. The creator of an index automatically has the CONTROL privilege on the index (authorizing the creator to drop the index), and retains this privilege even if the INDEX privilege is revoked.

INSERT

Grants the privilege to insert rows into the table or updatable view, and run the IMPORT utility.

REFERENCES

Grants the privilege to create and drop a foreign key referencing the table as the parent.

If the authorization ID of the statement has one of:

DBADM or SYSADM authority
CONTROL privilege on the table
REFERENCES WITH GRANT OPTION on the table

then the grantee(s) can create referential constraints using all columns of the table as parent key, even those added later using the ALTER TABLE statement. Otherwise, the privileges granted are all those grantable column REFERENCES privileges that the authorization ID of the statement has on the identified table. For more information on the authorization required to create or drop a foreign key, see ALTER TABLE.

REFERENCES (column-name,...)

Grants the privilege to create and drop a foreign key using only those columns specified in the column list as a parent key. Each column-name must be an unqualified name that identifies a column of the table identified in the ON clause. Column level REFERENCES privilege cannot be granted on typed tables or typed views (SQLSTATE 42997).

SELECT

Grants the privilege to retrieve rows from the table or view, create views on the table, and run the EXPORT utility. See the Command Reference for information on EXPORT.

UPDATE

Grants the privilege to use the UPDATE statement on the table or updatable view identified in the ON clause.

If the authorization ID of the statement has one of:

DBADM or SYSADM authority
CONTROL privilege on the table or view
UPDATE WITH GRANT OPTION on the table or view

then the grantee(s) can can update all updatable columns of the table or view on which the grantor has with grant privilege as well as those columns added later using the ALTER TABLE statement. Otherwise, the privileges granted are all those grantable column UPDATE privileges that the authorization ID of the statement has on the identified table or view.

UPDATE (column-name,...)

Grants the privilege to use the UPDATE statement to update only those columns specified in the column list. Each column-name must be an unqualified name that identifies a column of the table or view identified in the ON clause. Column level UPDATE privilege cannot be granted on typed tables or typed views (SQLSTATE 42997).

ON TABLE table-name or view-name

Specifies the table or view on which privileges are to be granted.

No privileges may be granted on an inoperative view or an inoperative summary table (SQLSTATE 51024).

TO

Specifies to whom the privileges are granted.

USER

Specifies that the authorization-name identifies a user.

GROUP

Specifies that the authorization-name identifies a group name.

authorization-name,...

Lists the authorization IDs of one or more users or groups. (81)

A privilege granted to a group is not used for authorization checking on static DML statements in a package. Nor is it used when checking authorization on a base table while processing a CREATE VIEW statement.

In DB2 Universal Database, table privileges granted to groups only apply to statements that are dynamically prepared. For example, if the INSERT privilege on the PROJECT table has been granted to group D204 but not UBIQUITY (a member of D204) UBIQUITY could issue the statement:

   EXEC SQL EXECUTE IMMEDIATE :INSERT_STRING;

where the content of the string is:

   INSERT INTO PROJECT (PROJNO, PROJNAME, DEPTNO, RESPEMP)
   VALUES ('AD3114', 'TOOL PROGRAMMING', 'D21', '000260');

but could not precompile or bind a program with the statement:

   EXEC SQL INSERT INTO PROJECT (PROJNO, PROJNAME, DEPTNO, RESPEMP)
   VALUES ('AD3114', 'TOOL PROGRAMMING', 'D21', '000260');

PUBLIC

Grants the privileges to all users. (82)

WITH GRANT OPTION

Allows the specified authorization-names to GRANT the privileges to others.

If the specified privileges include CONTROL, the WITH GRANT OPTION applies to all the applicable privileges except for CONTROL (SQLSTATE 01516).

Rules

If neither USER nor GROUP is specified, then

If the authorization-name is defined in the operating system only as GROUP, then GROUP is assumed.
If the authorization-name is defined in the operating system only as USER or if it is undefined, USER is assumed.
If the authorization-name is defined in the operating system as both, or DCE authentication is used, an error (SQLSTATE 56092) is raised.
In general, the GRANT statement will process the granting of privileges that the authorization ID of the statement is allowed to grant, returning a warning (SQLSTATE 01007) if one or more privileges was not granted. If no privileges were granted, an error is returned (SQLSTATE 42501). (83) If CONTROL privilege is specified, privileges will only be granted if the authorization ID of the statement has SYSADM or DBADM authority (SQLSTATE 42501).

Notes

Privileges may be granted independently at every level of a table hierarchy. A user with a privilege on a supertable may affect the subtables. For example, an update specifying the supertable T may show up as a change to a row in the subtable S of T done by a user with UPDATE privilege on T but without UPDATE privilege on S. A user can only operate directly on the subtable if the necessary privilege is held on the subtable.

Examples

Example 1: Grant all privileges on the table WESTERN_CR to PUBLIC.

  GRANT ALL ON WESTERN_CR
   TO PUBLIC

Example 2: Grant the appropriate privileges on the CALENDAR table so that users PHIL and CLAIRE can read it and insert new entries into it. Do not allow them to change or remove any existing entries.

  GRANT SELECT, INSERT ON CALENDAR
   TO USER  PHIL, USER CLAIRE

Example 3: Grant all privileges on the COUNCIL table to user FRANK and the ability to extend all privileges to others.

  GRANT ALL ON COUNCIL
   TO USER FRANK WITH GRANT OPTION

Example 4: GRANT SELECT privilege on table CORPDATA.EMPLOYEE to a user named JOHN. There is a user called JOHN and no group called JOHN.

  GRANT SELECT ON CORPDATA.EMPLOYEE TO JOHN

  GRANT SELECT
    ON CORPDATA.EMPLOYEE TO USER JOHN

Example 5: GRANT SELECT privilege on table CORPDATA.EMPLOYEE to a group named JOHN. There is a group called JOHN and no user called JOHN.

  GRANT SELECT ON CORPDATA.EMPLOYEE TO JOHN

  GRANT SELECT ON CORPDATA.EMPLOYEE TO GROUP JOHN

Example 6: GRANT INSERT and SELECT on table T1 to both a group named D024 and a user named D024.

  GRANT INSERT, SELECT ON TABLE T1
     TO GROUP D024, USER D024

In this case, both the members of the D024 group and the user D024 would be allowed to INSERT into and SELECT from the table T1. Also, there would be two rows added to the SYSCAT.TABAUTH catalog view.

Example 7: GRANT INSERT, SELECT, and CONTROL on the CALENDAR table to user FRANK. FRANK must be able to pass the privileges on to others.

  GRANT CONTROL ON TABLE CALENDAR
     TO FRANK WITH GRANT OPTION

The result of this statement is a warning (SQLSTATE 01516) that CONTROL was not given the WITH GRANT OPTION. Frank now has the ability to grant any privilege on CALENDAR including INSERT and SELECT as required. FRANK cannot grant CONTROL on CALENDAR to other users unless he has SYSADM or DBADM authority.

Footnotes:

(81) Restrictions in previous versions on grants to authorization ID of the user issuing the statement have been removed.

(82) Restrictions in previous versions on the use of privileges granted to PUBLIC for static SQL statements and CREATE VIEW statements have been removed.

(83) If the package used for processing the statement was precompiled with LANGLEVEL set to SQL92E or MIA, a warning is returned (SQLSTATE 01007) unless the grantor has NO privileges on the object of the grant.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

[ DB2 List of Books | Search the DB2 Books ]