Implicit privileges of ownership
When a user is the owner of a Db2 object, that user might have some implicit privileges, but not all privileges associated with the object.
Db2 object | Implicit privileges |
---|---|
Database | DISPLAYDB, MERGECOPY, IMAGCOPY, MODIFY RECOVERY, QUIESCE, RECOVERDB, REPORT, REORG, REPAIR, RUN REPAIR UTILITY, RUN CHECK INDEX/LOB UTILITY, STATS, STARTDB, STOPDB, TERM UTILITY ON DATABASE |
Java™ archive (JAR) | USAGE |
Package | BINDAUT, COMMENT ON, COPYAUT |
Plan | BINDAUT, COMMENT ON |
Role | COMMENT ON, DROP |
Sequence | ALTER, COMMENT ON, USAGE |
Stored procedure | DISPLAY, EXECUTE, START, STOP |
Table | All privileges except CRTSYAUT, DRPSYAUT, CRTVUAUT |
Trusted context | COMMENT ON, DROP |
User-defined distinct type | USAGE |
User-defined function | DISPLAY, EXECUTE, START, STOP |
View | ALTER, COMMENT ON, DROP |
To check authorization for the privileges associated with implicit ownership, the RACF access control module uses ownership information passed from Db2 in the XAPLOWNR field of DSNDXAPL.
If the object is owned by an authorization ID, the RACF access control module authorizes access and returns a return code 0 in EXPLRC1 and reason code 13 in EXPLRC2. If the object is owned by the role in effect for the user, the RACF access control module authorizes access and returns a return code 0 in EXPLRC1 and reason code 16 in EXPLRC2.
If these checks fail, for some privileges the RACF access control module checks whether the current authorization ID (in the field XAPLUCHK) matches the schema name.