Retrieving authorization names with granted privileges
You can use the PRIVILEGES and other administrative views to retrieve information about the authorization names that have been granted privileges in a database.
About this task
SELECT AUTHID, PRIVILEGE, OBJECTNAME, OBJECTSCHEMA, OBJECTTYPE
FROM SYSIBMADM.PRIVILEGES
The
following query uses the AUTHORIZATIONIDS administrative view to find
all the authorization IDs that have been granted privileges or authorities,
and to show their types:
SELECT AUTHID, AUTHIDTYPE FROM SYSIBMADM.AUTHORIZATIONIDS
You
can also use the SYSIBMADM.OBJECTOWNERS administrative view and the
SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID table function to find security-related
information. Prior to Version 9.1, no single system catalog
view contained information about all privileges. For releases earlier
than version 9.1, the following statement retrieves all authorization
names with privileges:
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'DATABASE' FROM SYSCAT.DBAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'TABLE ' FROM SYSCAT.TABAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'PACKAGE ' FROM SYSCAT.PACKAGEAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'INDEX ' FROM SYSCAT.INDEXAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'COLUMN ' FROM SYSCAT.COLAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'SCHEMA ' FROM SYSCAT.SCHEMAAUTH
UNION
SELECT DISTINCT GRANTEE, GRANTEETYPE, 'SERVER ' FROM SYSCAT.PASSTHRUAUTH
ORDER BY GRANTEE, GRANTEETYPE, 3
Periodically, the list retrieved by this statement should be compared with lists of user and group names defined in the system security facility. You can then identify those authorization names that are no longer valid.
Note: If you are supporting remote database clients, it
is possible that the authorization name is defined at the remote client
only and not on your database server machine.