Privileges required for handling plans and packages

An ID, or a role that runs in a trusted context, needs specific privileges to perform actions on plans and packages.

Begin general-use programming interface information.The following table lists the IDs and describes the privileges that they need for performing each type of plan or package operation. A user-defined function, stored procedure, or trigger package does not need to be included in a package list. A trigger package cannot be deleted by FREE PACKAGE or DROP PACKAGE. The DROP TRIGGER statement must be used to delete the trigger package.

Table 1. Required privileges for basic operations on plans and packages
Operation ID or role Required privileges
Execute a plan Primary ID, any secondary ID, or role Any of the following privileges:
  • Ownership of the plan
  • EXECUTE privilege for the plan
  • DATAACCESS authority
  • SYSADM authority
Bind embedded SQL statements, for any bind operation Package owner Any of the following privileges:
  • Applicable privileges required by the statements
  • Authorities that include the privileges
  • Ownership that implicitly includes the privileges
Object names include the value of QUALIFIER, where it applies.
BIND EXPLAIN without generating a package Plan or package owner Any of the following privileges:
  • Ownership of the plan or package
  • BIND
  • BINDAGENT
  • EXPLAIN privilege
  • PACKADM
  • SQLADM
  • System DBADM authority
  • SYSCTRL
  • SYSADM
Include package in PKLIST1 Plan owner Any of the following privileges:
  • Ownership of the package
  • EXECUTE privilege for the package
  • PACKADM authority over the package collection
  • SYSADM authority
BIND a new plan using the default owner or primary authorization ID Primary ID or role Any of the following privileges:
  • BINDADD privilege
  • System DBADM authority
  • SYSCTRL authority
  • SYSADM authority
BIND a new package using the default owner or primary authorization ID Primary ID or role If the value of the field BIND NEW PACKAGE on installation panel DSNTIPP is BIND, any of the following privileges:
  • BIND privilege and CREATE IN privilege for the collection
  • PACKADM authority for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
If BIND NEW PACKAGE is BINDADD, any of the following privileges:
  • BINDADD privilege and either the CREATE IN or PACKADM privilege for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
BIND REPLACE or REBIND for a plan or package using the default owner or primary authorization ID Primary ID, any secondary ID, or role Any of the following privileges:
  • Ownership of the plan or package
  • BIND privilege for the plan or package
  • BINDAGENT from the plan or package owner
  • PACKADM authority for the collection (for a package only)
  • System DBADM authority
  • SYSADM or SYSCTRL authority.
BIND a new version of a package, with default owner Primary ID or role If BIND NEW PACKAGE is BIND, any of the following privileges:
  • BIND privilege on the package or collection
  • BINDADD privilege and CREATE IN privilege for the collection
  • PACKADM authority for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
If BIND NEW PACKAGE is BINDADD, any of the following:
  • BINDADD privilege and either the CREATE IN or PACKADM privilege for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
FREE or DROP a package2 Primary ID, any secondary ID, or role Any of the following privileges:
  • Ownership of the package
  • BINDAGENT from the package owner
  • PACKADM authority for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
COPY a package Primary ID, any secondary ID, or role Any of the following:
  • Ownership of the package
  • COPY privilege for the package
  • BINDAGENT from the package owner
  • PACKADM authority for the collection
  • System DBADM authority
  • SYSADM or SYSCTRL authority
FREE a plan Primary ID, any secondary ID, or role Any of the following privileges:
  • Ownership of the plan
  • BIND privilege for the plan
  • BINDAGENT from the plan owner
  • System DBADM authority
  • SYSADM or SYSCTRL authority
Name a new OWNER other than the primary authorization ID for any bind operation Primary ID, any secondary ID, or role Any of the following privileges:
  • New owner is the primary or any secondary ID
  • BINDAGENT from the new owner
  • System DBADM authority (if SEPARATE_SECURITY is set to NO)
  • SYSADM or SYSCTRL authority (if SEPARATE_SECURITY is set to NO)
Notes:
  1. The package for a user-defined function, stored procedure, or trigger package does not need to be included in a package list.
  2. A trigger package cannot be deleted by FREE PACKAGE or DROP PACKAGE. The DROP TRIGGER statement must be used to delete the trigger package.
End general-use programming interface information.