Required privileges for working with REST endpoints in Db2
Before users can use REST endpoints to access Db2 statements from a web, mobile, or cloud application, they need to have specific privileges assigned to them for the Db2 database objects with which they will interact.
- All users require the SELECT permission on SYSCAT tables.
- Setting up metadata requires for following permissions:
- Administrator access.
- The EXECUTEprivilege on the SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID, SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID, and SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID table functions.
- The CREATE TABLE, CREATE PROCEDURE, and GRANT EXECUTE privileges on procedure permission in the schema that contains the metadata table.
- The GRANT SELECT privilege to the metadata table.
- Requesting a token requires the EXECUTE privilege on the SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID table function, to determine whether the user is an administrator. Otherwise, the user is assumed to not have administrator rights.
- Creating, updating, and deleting services required the following permissions:
- The SELECT, INSERT, UPDATE, and DELETE privileges on the metadata table.
- Authority to run CREATE SCHEMA or DROP SCHEMA statements for the schema associated with the service creation call.
- Describing a REST SQL service requires the EXECUTE privilege on the SYSPROC.ADMIN_CMD procedure.
- Granting and revoking permission on a service requires the GRANT EXECUTE and REVOKE EXECUTE privileges on the procedure in the schema that is associated with the service creation call.
- Executing a service requires the EXECUTE privilege on the stored procedures in the schema associated with the server creation call.