Table privileges
Resources: Tables
Resource type: T
Note about SYSCTRL
The SYSCTRL administrative authority does not apply to user tables. Db2 turns on bit 7 of the XAPLFLG1 field for a user table. If this bit is on, the RACF access control module bypasses checking for the SYSCTRL authority. This allows RACF processing to model Db2 processing.
Db2 privileges
ALTER
XAPLPRIV value: ALTERAUTT
Privcode 61 (x'3D')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.ALTER | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
ALTER INDEX, DROP INDEX
XAPLPRIV values: ALTIXAUTT, DRPIXAUTT
Privcode 103 (x'67'), 105 (x'69')
Does the user or the role associated with the user own the index?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
CHANGE NAME QUALIFIER
XAPLPRIV value: QUALAUTT
Privcode 76 (x'4C')
The user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBCTRL | DSNADM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
COMMENT ON, COMMENT ON INDEX, DROP
XAPLPRIV values: COMNTAUTT, CMTIXAUTT, DROPAUTT
Privcode 97 (x'61'), 274 (x'112'), 73 (x'49')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
CREATE SYNONYM
XAPLPRIV value: CRTSYAUTT
Privcode 102 (x'66')
There are no authorization checks (return code 4).
CREATE VIEW
XAPLPRIV value: CRTVUAUTT
Privcode 108 (x'6C')
The user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.SYSCTRL
This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
| Db2-subsystem.Db2-database-name-n.DBADM | DSNADM
|
| Db2-subsystem.SYSDBADM This check is bypassed for user tables. |
DSNADM |
DELETE
XAPLPRIV value: DELETAUTT
Privcode 52 (x'34')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If XAPLACAC is enabled (XAPLFLG2 bit 5 is '1'B ) and XAPLUCHK is an authid, suppress the ownership check for XAPLUCHK.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.DELETE | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.DATAACCESS This check is bypassed for SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSADM This check is bypassed for SYSIBM.SYSAUDITPOLICIES only when Separate Security =YES |
DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |
DROP ALIAS
XAPLPRIV value: DRPALAUTT
Privcode 20 (x'14')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
DROP SYNONYM
XAPLPRIV value: DRPSYAUTT
Privcode 104 (x'68')
There are no authorization checks (return code 4).
INDEX
XAPLPRIV value: INDEXAUTT
Privcode 56 (x'38')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.INDEX | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
INSERT
XAPLPRIV value: INSRTAUTT
Privcode 51 (x'33')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If XAPLACAC is enabled (XAPLFLG2 bit 5 is '1'B ) and XAPLUCHK is an authid, suppress the ownership check for XAPLUCHK.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.INSERT | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.DATAACCESS This check is bypassed for SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSADM This check is bypassed for SYSIBM.SYSAUDITPOLICIES only when Separate Security =YES. |
DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |
LOAD
XAPLPRIV value: LOADAUTT
Privcode 75 (x'4B')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.LOAD | MDSNDB or GDSNDB |
| Db2-subsystem.database-name.DBCTRL | DSNADM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
LOCK TABLE
XAPLPRIV value: LOCKAUTT
Privcode 98 (x'62')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.SELECT | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
REFERENCES
XAPLPRIV value: REFERAUTT
Privcode 54 (x'36')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.REFERENCES | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.ALTER | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.column.REFERENCES | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
REFRESH
XAPLPRIV value: RFRSHAUTT
Privcode 275 (x'113')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBCTRL | DSNADM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.SYSCTRL
This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
RENAME INDEX
XAPLPRIV value: RNIDXAUTT
Privcode 283 (x'11B')
Does the user or the role associated with the user own the index?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBMAINT | DSNADM |
| Db2-subsystem.database-name.DBCTRL | DSNADM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.database-name.SYSCTRL | DSNADM |
| Db2-subsystem.database-name.SYSADM | DSNADM |
RENAME TABLE
XAPLPRIV value: RNTABAUTT
Privcode 251 (x'FB')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.database-name.DBMAINT | DSNADM |
| Db2-subsystem.database-name.DBCTRL | DSNADM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL | DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
SELECT
XAPLPRIV value: SELCTAUTT
Privcode 50 (x'32')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If XAPLACAC is enabled (XAPLFLG2 bit 5 is '1'B ) and XAPLUCHK is an authid, suppress the ownership check for XAPLUCHK.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.SELECT | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM This check is bypassed for user tables. |
MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |
TRIGGER
XAPLPRIV value: TRIGAUTT
Privcode 55 (x'37')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.TRIGGER | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.ALTER | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.SYSCTRL
This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
UNLOAD
XAPLPRIV value: ULOADAUTT
Privcode 297 (x'129')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.UNLOAD | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM This check is bypassed for user tables. |
MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |
UPDATE
XAPLPRIV value: UPDTEAUTT
Privcode 53 (x'35')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If XAPLACAC is enabled (XAPLFLG2 bit 5 is '1'B ) and XAPLUCHK is an authid, suppress the ownership check for XAPLUCHK.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.UPDATE | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.column.UPDATE | MDSNTB or GDSNTB |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.DATAACCESS This check is bypassed for SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables and SYSIBM.SYSAUDITPOLICIES. |
DSNADM |
| Db2-subsystem.SYSADM This check is bypassed for SYSIBM.SYSAUDITPOLICIES when Separate Security =YES |
DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |
Any of the table privileges
XAPLPRIV value: ANYTBAUTT
Privcode 233 (x'E9')
Does the user or the role associated with the user own the table?
If so, XAPLUPRM must match the owner name passed from Db2 by the XAPLOWNR parameter when XAPLONRT indicates an authorization ID, or XAPLUCHK must match XAPLOWNR and XAPLUCKT must match XAPLONRT.
If not, the user must have sufficient authority to:
| One of these resources: | In class: |
|---|---|
| Db2-subsystem.table-qualifier.table-name.REFERENCES | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.ALTER | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.INDEX | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.SELECT | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.INSERT | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.DELETE | MDSNTB or GDSNTB |
| Db2-subsystem.table-qualifier.table-name.UPDATE | MDSNTB or GDSNTB |
| Db2-subsystem.EXPLAIN | MDSNSM or GDSNSM |
| Db2-subsystem.database-name.DBADM | DSNADM |
| Db2-subsystem.SQLADM | MDSNSM or GDSNSM |
| Db2-subsystem.SYSDBADM | DSNADM |
| Db2-subsystem.DATAACCESS | DSNADM |
| Db2-subsystem.ACCESSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSCTRL This check is bypassed for user tables. |
DSNADM |
| Db2-subsystem.SYSADM | DSNADM |
| Db2-subsystem.SECADM This check is bypassed for user tables. |
DSNADM |