DB2 Version 10.1 for Linux, UNIX, and Windows

GRANT (server privileges) statement

This form of the GRANT statement grants the privilege to access and use a specified data source in pass-through mode.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include ACCESSCTRL or SECADM authority.

Syntax


>>-GRANT PASSTHRU ON SERVER--server-name--TO-------------------->

   .-,---------------------------------.   
   V                                   |   
>----+-+-------+--authorization-name-+-+-----------------------><
     | +-USER--+                     |     
     | +-GROUP-+                     |     
     | '-ROLE--'                     |     
     '-PUBLIC------------------------'

Description

server-name

Names the data source for which the privilege to use in pass-through mode is being granted. server-name must identify a data source that is described in the catalog.

TO

Specifies to whom the privilege is granted.

USER: Specifies that the authorization-name identifies a user.
GROUP: Specifies that the authorization-name identifies a group name.
ROLE: Specifies that the authorization-name identifies a role name. The role name must exist at the current server (SQLSTATE 42704).
authorization-name,...: Lists the authorization IDs of one or more users, groups, or roles.
The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).
PUBLIC: Grants to a set of users (authorization IDs) the privilege to pass through to server-name. For more information, see "Authorization, privileges and object ownership".

Rules

For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
- If the security plug-in in effect for the instance cannot determine the status of the authorization-name, an error is returned (SQLSTATE 56092).
- If the authorization-name is defined as ROLE in the database, and as either GROUP or USER according to the security plug-in in effect, an error is returned (SQLSTATE 56092).
- If the authorization-name is defined according to the security plug-in in effect as both USER and GROUP, an error is returned (SQLSTATE 56092).
- If the authorization-name is defined according to the security plug-in in effect as USER only, or if it is undefined, USER is assumed.
- If the authorization-name is defined according to the security plug-in in effect as GROUP only, GROUP is assumed.
- If the authorization-name is defined in the database as ROLE only, ROLE is assumed.

Examples

Example 1: Give R. Smith and J. Jones the privilege to pass through to data source SERVALL. Their authorization IDs are RSMITH and JJONES.
```
   GRANT PASSTHRU ON SERVER SERVALL
     TO USER RSMITH,
     USER JJONES
```
Example 2: Grant the privilege to pass through to data source EASTWING to a group whose authorization ID is D024. There is a user whose authorization ID is also D024.
```
   GRANT PASSTHRU ON SERVER EASTWING TO GROUP D024
```
The GROUP keyword must be specified; otherwise, an error will occur because D024 is a user's ID as well as the specified group's ID (SQLSTATE 56092). Any member of group D024 will be allowed to pass through to EASTWING. Therefore, if user D024 belongs to the group, this user will be able to pass through to EASTWING.