Required privileges for working with REST endpoints in Db2

Before users can use REST endpoints to access Db2 statements from a web, mobile, or cloud application, they need to have specific privileges assigned to them for the Db2 database objects with which they will interact.

  • All users require the SELECT permission on SYSCAT tables.
  • Setting up metadata requires for following permissions:
    • Administrator access.
    • The EXECUTEprivilege on the SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID, SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID, and SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID table functions.
    • The CREATE TABLE, CREATE PROCEDURE, and GRANT EXECUTE privileges on procedure permission in the schema that contains the metadata table.
    • The GRANT SELECT privilege to the metadata table.
  • Requesting a token requires the EXECUTE privilege on the SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID table function, to determine whether the user is an administrator. Otherwise, the user is assumed to not have administrator rights.
  • Creating, updating, and deleting services required the following permissions:
    • The SELECT, INSERT, UPDATE, and DELETE privileges on the metadata table.
    • Authority to run CREATE SCHEMA or DROP SCHEMA statements for the schema associated with the service creation call.
  • Describing a REST SQL service requires the EXECUTE privilege on the SYSPROC.ADMIN_CMD procedure.
  • Granting and revoking permission on a service requires the GRANT EXECUTE and REVOKE EXECUTE privileges on the procedure in the schema that is associated with the service creation call.
  • Executing a service requires the EXECUTE privilege on the stored procedures in the schema associated with the server creation call.