In grant management, a group privilege is a privilege that is
assigned to a particular AUTHID for a group and its objects. You can optionally limit
the group privilege to a particular time period. You can define multiple privileges for
each group.
After adding a group privilege, Db2 Admin Tool generates any applicable
pending privileges. You need to run the GRANT and REVOKE statements associated with
those pending privileges to implement the authorizations.
Procedure
To manage group privileges for grant management:
On the DB2 Administration Menu
(ADB2) panel, specify
option Z, and press Enter.
On the System Administration
(ADB2Z) panel, specify option
GM, and press Enter.
On the Grant Management Menu
(ADB2ZGM) panel, specify option
GP and optionally any filtering criteria and press
Enter.
For group privileges, you can enter filtering criteria in the
AUTHID, Creator, and
Ends in fields.
If no group privileges are defined (the ADBGMGP table is empty), the GM - Add Group Privilege
(ADB2ZGRA) panel prompts you
to add a privilege. Continue with step 2 (in Adding a group privilege).
Otherwise, the GM - Manage Group
Privileges (ADB2ZGGP) panel displays a
list of group privileges.
Perform any of the following actions as needed to edit your privileges:
On the GM - Manage Group
Privileges (ADB2ZGGP) panel,
issue the ADD command, and press Enter.
On the GM - Add Group Privilege
(ADB2ZGRA) panel,
specify the requested information:
Tips:
Specify ? to look up a group name and privilege name.
Use the Start timestamp and
End timestamp fields to specify a
specific time frame for the privilege. These fields are
optional. If no start timestamp is specified, the start
timestamp will be the current timestamp when the ADBTEP2 job
with ADMIN GM ADD GROUP PRIVILEGE is run. The end timestamp
defines the expiration of GRANT access for the related group
objects. If you specify an end timestamp, REVOKE statements will
be generated with a start time (meaning the time the REVOKE
statement is eligible to run) of the specified end timestamp.
The Description field is optional.
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that adds the
group privilege.
Submit the job to add the new group privilege.
Tip: When you return to the GM - Manage Group
Privileges (ADB2ZGGP) panel, you
might need to issue the REFRESH command to see the new group
privilege.
What to do next
If the group privilege is applicable to existing group objects, Db2 Admin Tool generates one or more
pending privileges. To implement the privilege, run the statement in the pending
privilege.
Updating a group privilege
For group privileges, you can update the start and end timestamps and the
description.
When you delete a group privilege, any pending privileges with REVOKE
statements are also deleted. Any pending privileges with GRANT statements remain.
Additionally, when deleting a group privilege, you can choose to revoke the
associated privileges that have been granted. In this case, new REVOKE
statements are generated, which you can subsequently run.
Procedure
On the GM - Manage Group
Privileges (ADB2ZGGP) panel,
specify the D line command next to the group
privilege that you want to delete, and press Enter.
On the GM - Delete Group Privilege
(ADB2ZGRA) panel,
specify the privilege that you want to delete, and specify option
1 or 2 to indicate whether
you want to revoke the privileges that are associated with the group
privilege:
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that deletes
the group privilege.
Submit the job to delete the group privilege.
Tip: When you return to the GM - Manage Group
Privileges (ADB2ZGGP) panel, you
might need to issue the REFRESH command to see group privilege
removed.
If you chose to also revoke the privileges, you need to run the REVOKE
statements:
Return to the Grant Management Menu
(ADB2ZGM) panel.
Specify PP, and press Enter.
On the GM - Manage Pending
Privileges (ADB2ZGPP) panel,
run the REVOKE statements.