GRANT (schema privileges and authorities) statement

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

No user can grant privileges on schema names starting with SYSIBM, SYSCAT, SYSFUN, or SYSSTAT (SQLSTATE 42501).

Syntax

Notes:

• ¹ Db2® Big SQL 7.2 and later service This feature requires the Db2 Big SQL 7.2 and later service on IBM Cloud Pak® for Data 4.0 and later.

Description

ALTERIN

Grants the privilege to alter or comment on all objects in the schema. The owner of an explicitly created schema automatically receives ALTERIN privilege.

CREATEIN

Grants the privilege to create objects in the schema. Other authorities or privileges required to create the object (such as CREATETAB) are still required. The owner of an explicitly created schema automatically receives CREATEIN privilege. An implicitly created schema has CREATEIN privilege automatically granted to PUBLIC.

DROPIN

Grants the privilege to drop all objects in the schema. The owner of an explicitly created schema automatically receives DROPIN privilege.

EXECUTEIN

Db2 Big SQL 7.2 and later service This feature requires the Db2 Big SQL 7.2 and later service on IBM Cloud Pak for Data 4.0 and later.

Grants the privilege to execute all existing and future user-defined functions, methods, procedures, packages, or modules defined in the schema. The owner of the schema (explicitly or implicitly created) does not automatically receive EXECUTEIN privilege.

INSERTIN

Db2 Big SQL 7.2 and later service This feature requires the Db2 Big SQL 7.2 and later service on IBM Cloud Pak for Data 4.0 and later.

Grants the privilege to insert rows and to run the IMPORT utility on all existing and future tables or views defined in the schema. The owner of the schema (explicitly or implicitly created) does not automatically receive INSERTIN privilege.

SELECTIN

Db2 Big SQL 7.2 and later service This feature requires the Db2 Big SQL 7.2 and later service on IBM Cloud Pak for Data 4.0 and later.

Grants the privilege to select from all existing and future tables or views defined in the schema. The owner of the schema (explicitly or implicitly created) does not automatically receive SELECTIN privilege.

ON

SCHEMA schema-name

Specifies the name of the schema on which the authorities are to be granted. Authorities cannot be granted on any schema beginning with the SYS prefix (SQLSTATE 42501).

CURRENT SCHEMA

Specifies that the authorities will be granted on the schema described by the DB2® special register CURRENT SCHEMA. Authorities cannot be granted on any schema beginning with the SYS prefix (SQLSTATE 42501).

TO

Specifies to whom the privileges are granted.

USER

Specifies that the authorization-name identifies a user.

GROUP

Specifies that the authorization-name identifies a group name.

ROLE

Specifies that the authorization-name identifies a role name. The role name must exist at the current server (SQLSTATE 42704).

authorization-name,...

Lists the authorization IDs of one or more users, groups, or roles.

The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).

PUBLIC

Grants the privileges to a set of users (authorization IDs). For more information, see Authorization, privileges and object ownership.

WITH GRANT OPTION

Allows the specified authorization-names to GRANT the privileges to others.

Rules

• For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
  • If the security plug-in in effect for the instance cannot determine the status of the authorization-name, an error is returned (SQLSTATE 56092).
  • If the authorization-name is defined as ROLE in the database, and as either GROUP or USER according to the security plug-in in effect, an error is returned (SQLSTATE 56092).
  • If the authorization-name is defined according to the security plug-in in effect as both USER and GROUP, an error is returned (SQLSTATE 56092).
  • If the authorization-name is defined according to the security plug-in in effect as USER only, or if it is undefined, USER is assumed.
  • If the authorization-name is defined according to the security plug-in in effect as GROUP only, GROUP is assumed.
  • If the authorization-name is defined in the database as ROLE only, ROLE is assumed.
• In general, the GRANT statement will process the granting of privileges that the authorization ID of the statement is allowed to grant, returning a warning (SQLSTATE 01007) if one or more privileges was not granted. If no privileges were granted, an error is returned (SQLSTATE 42501). (If the package used for processing the statement was precompiled with LANGLEVEL set to SQL92E for MIA, a warning is returned (SQLSTATE 01007), unless the grantor has no privileges on the object of the grant operation.)

Notes

• Grant on SYSPUBLIC: Privileges can be granted on the reserved schema SYSPUBLIC. Granting CREATEIN privilege allows the user to create a public alias and granting DROPIN privilege allows the user to drop any public alias.
• Privileges granted to a group: An authority that is granted to a group is not used for authorization checking on:
  • Static DML statements in a package
  • A base table while processing a CREATE VIEW statement
  • A base table while processing a CREATE TABLE statement for a materialized query table
  • Create SQL routine
  • Create trigger

Examples

• Example 1:  Grant user JSINGLETON to the ability to create objects in schema CORPDATA.

     GRANT CREATEIN ON SCHEMA CORPDATA TO JSINGLETON

• Example 2:  Grant user IHAKES the ability to create and drop objects in schema CORPDATA.

     GRANT CREATEIN, DROPIN ON SCHEMA CORPDATA TO IHAKES