Tenant access control authority (ACCESSCTRL)

Tenant ACCESSCTRL authority allows users to grant and revoke privileges on objects within a specific tenant and on the tenant itself. Tenant ACCESSCTRL authority has no inherent privilege to access data stored in any tables or views.

Tenant ACCESSCTRL authority can only be granted or revoked by a user holding database SECADM or database ACCESSCTRL authority. A user with tenant ACCESSCTRL authority cannot grant or revoke the authority from other users. It can be granted to a user, a group, or a role. However, it cannot be granted with grant option or be granted on any tenant whose name begins with the "SYS". Additionally, PUBLIC cannot obtain the tenant ACCESSCTRL authority directly or indirectly through a role.

ACCESSCTRL authority gives a user the ability to perform the following operations:

• Grant and revoke the following tenant authorities and privileges:
  • TENANTADM
  • Tenant LOAD
  • Tenant DATAACCESS
  • CREATEIN
  • ALTERIN
  • DROPIN
  • UPDATEIN
  • SELECTIN
  • INSERTIN
  • UPDATEIN
  • DELETEIN
  • EXECUTEIN
  • USAGE
• Grant and revoke all privileges on the following objects defined in a tenant:
  • Global Variable
  • Index
  • Nickname
  • Package
  • Routine (except audit routines)
  • Sequence
  • Table
  • View
  • XSR Objects

The authority is the subset of the database ACCESSCTRL authority with its scope limited only to the tenant on which it is granted.