GRANT (index privileges) statement

This form of the GRANT statement grants the CONTROL privilege on indexes.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The authorization ID privileges of the statement on the schema containing the index must include one of the following:
  • ACCESSCTRL authority
  • SECADM authority
  • Schema ACCESSCTRL authority

Syntax

Read syntax diagramSkip visual syntax diagramGRANTCONTROLON INDEXindex-name TO ,USERGROUPROLEauthorization-namePUBLIC

Description

CONTROL
Grants the privilege to drop the index. This is the CONTROL authority for indexes, which is automatically granted to creators of indexes.
ON INDEX index-name
Identifies the index for which the CONTROL privilege is to be granted.
TO
Specifies to whom the privileges are granted.
USER
Specifies that the authorization-name identifies a user.
GROUP
Specifies that the authorization-name identifies a group name.
ROLE
Specifies that the authorization-name identifies a role name. The role name must exist at the current server (SQLSTATE 42704).
authorization-name,...
Lists the authorization IDs of one or more users, groups, or roles.

The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).

PUBLIC
Grants the privileges to a set of users (authorization IDs). For more information, see Authorization, privileges and object ownership.

Rules

  • For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
    • If the security plug-in in effect for the instance cannot determine the status of the authorization-name, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined as ROLE in the database, and as either GROUP or USER according to the security plug-in in effect, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined according to the security plug-in in effect as both USER and GROUP, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined according to the security plug-in in effect as USER only, or if it is undefined, USER is assumed.
    • If the authorization-name is defined according to the security plug-in in effect as GROUP only, GROUP is assumed.
    • If the authorization-name is defined in the database as ROLE only, ROLE is assumed.

Notes

  • Privileges granted to a group: A privilege that is granted to a group is not used for authorization checking on:
    • Static DML statements in a package
    • A base table while processing a CREATE VIEW statement
    • A base table while processing a CREATE TABLE statement for a materialized query table
    • Create SQL routine
    • Create trigger
  • WITH GRANT OPTION is ignored when granting index privileges

Example

Grant CONTROL privilege on the DEPTIDX index to the user whose ID is KIESLER:
   GRANT CONTROL ON INDEX DEPTIDX TO USER KIESLER