Tenant data access authority (DATAACCESS)

Tenant DATAACCESS authority allows access to data within a specific tenant. This authority is the subset of the database DATAACCESS authority with its scope limited only to the tenant on which it is granted.

DATAACCESS authority can be granted only by the security administrator, who holds SECADM authority. It can be granted to a user, a group, or a role. PUBLIC cannot obtain the DATAACCESS authority either directly or indirectly.

For all tables, views, materialized query tables, and nicknames defined in a tenant it gives the following authority and privileges:

  • SELECT privilege
  • INSERT privilege
  • UPDATE privilege
  • DELETE privilege

In addition, tenant DATAACCESS authority provides the following privileges:

  • SELECT, INSERT, UPDATE, DELETE privilege on tables, views, nicknames, and materialized query tables belonging to the tenant.
  • EXECUTE privilege on packages, modules, and routines in the tenant (including Db2-defined packages, modules, and routines), except audit routines that are not defined at the tenant level.
  • READ privilege on all global variables that are defined within the tenant.
  • WRITE privilege on all global variables, except variables that are read-only.
  • USAGE privilege on all XSR objects and all sequences that are defined within the tenant.

The authority is the subset of the database DATAACCESS authority with its scope limited only to the tenant on which it is granted.