Start of change

Managing group privileges for grant management

In grant management, a group privilege is a privilege that is assigned to a particular AUTHID for a group and its objects. You can optionally limit the group privilege to a particular time period. You can define multiple privileges for each group.

After adding a group privilege, Db2 Admin Tool generates any applicable pending privileges. You need to run the GRANT and REVOKE statements associated with those pending privileges to implement the authorizations.

Procedure

To manage group privileges for grant management:

  1. On the DB2 Administration Menu (ADB2) panel, specify option Z, and press Enter.
  2. On the System Administration (ADB2Z) panel, specify option GM, and press Enter.
  3. On the Grant Management Menu (ADB2ZGM) panel, specify option GP and optionally any filtering criteria and press Enter.
    Figure 1. Grant Management Menu (ADB2ZGM) panel
    ADB2ZGM n ----------------- DD1A Grant Management Menu ------------------ 13:53
    Option ===> GP                                                                     
                                                                                   
                                                             Db2 System: DD1A      
                                                             Db2 SQL ID: ADM001    
                                                                                   
     G - Groups                                 GO - Group objects                 
     P - Privileges                             GP - Group privileges              
     S - SSIDs                                  PP - Pending privileges            
                                                                                   
    Enter standard selection criteria:                                             
     Name  . . . .                            > Creator . . .            >         
     Type  . . . .                              AUTHID  . . .            >         
     Qualifier . .                            > SSID  . . . .                      
     Ends in <=. .                            > (e.g. n DAYS or n MONTHS)          
                                                                                   

    For group privileges, you can enter filtering criteria in the AUTHID, Creator, and Ends in fields.

    If no group privileges are defined (the ADBGMGP table is empty), the GM - Add Group Privilege (ADB2ZGRA) panel prompts you to add a privilege. Continue with step 2 (in Adding a group privilege).

    Otherwise, the GM - Manage Group Privileges (ADB2ZGGP) panel displays a list of group privileges.

    Figure 2. GM - Manage Group Privileges (ADB2ZGGP) panel
    ADB2ZGGP  -------------- DD1A GM - Manage Group Privileges --- Row 1 to 1 of 1 
    Command ===>                                                  Scroll ===> PAGE 
                                                                         More: >   
    Commands: ADD  DELETE                                                          
    Line commands:                                                                 
     A - Add  D - Delete  G - Group  I - Interpret  P - Privilege                  
     PP - Pending privileges  U - Update  ? - Show all line commands               
                                                                                   
    Sel AUTHID   R Group Name       Privilege Name   Description                   
        *        * *                *                *                             
    --- -------> - ---------------> ---------------> ----------------------------->
        TS6462     MYAPP1           TABPRIV                                        
    ******************************* END OF DB2 DATA *******************************
  4. Perform any of the following actions as needed to edit your privileges:
Start of change

Adding a group privilege

Before you begin

If the GM - Manage Group Privileges (ADB2ZGGP) panel is not displayed, complete the steps in Managing group privileges for grant management.

Procedure

  1. On the GM - Manage Group Privileges (ADB2ZGGP) panel, issue the ADD command, and press Enter.
  2. On the GM - Add Group Privilege (ADB2ZGRA) panel, specify the requested information:
    Figure 3. GM - Add Group Privilege (ADB2ZGRA) panel
    ADB2ZGRA  -------------- DD1A GM - Add Group Privilege     Enter required field 
    Command ===>                                                                   
                                                                                   
    Add group privilege using the following options:                               
                                                                                   
    AUTHID  . . . . . . . . . TS6462                       >                       
    Role  . . . . . . . . . . N                              (Yes/No)              
    Group name  . . . . . . . MYAPP1                       > (? for lookup)        
    Privilege name  . . . . . TABPRIV                      > (? for lookup)        
    Start timestamp . . . . .                                                      
    End timestamp . . . . . .                                                      
    Description . . . . . . .                              >                       
    Tips:
    • Specify ? to look up a group name and privilege name.
    • Use the Start timestamp and End timestamp fields to specify a specific time frame for the privilege. These fields are optional. If no start timestamp is specified, the start timestamp will be the current timestamp when the ADBTEP2 job with ADMIN GM ADD GROUP PRIVILEGE is run. The end timestamp defines the expiration of GRANT access for the related group objects. If you specify an end timestamp, REVOKE statements will be generated with a start time (meaning the time the REVOKE statement is eligible to run) of the specified end timestamp.
    • The Description field is optional.
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that adds the group privilege.
  4. Submit the job to add the new group privilege.
    Tip: When you return to the GM - Manage Group Privileges (ADB2ZGGP) panel, you might need to issue the REFRESH command to see the new group privilege.

What to do next

If the group privilege is applicable to existing group objects, Db2 Admin Tool generates one or more pending privileges. To implement the privilege, run the statement in the pending privilege.
End of change
Start of change

Updating a group privilege

For group privileges, you can update the start and end timestamps and the description.

Before you begin

If the GM - Manage Group Privileges (ADB2ZGGP) panel is not displayed, complete the steps in Managing group privileges for grant management.

Procedure

  1. On the GM - Manage Group Privileges (ADB2ZGGP) panel, specify the U line command next to the group privilege that you want to update, and press Enter.
  2. On the GM - Update Group Privilege (ADB2ZGRA) panel, specify your updates:
    Figure 4. GM - Update Group Privilege (ADB2ZGRA) panel
    ADB2ZGRA  -------------- DD1A GM - Update Group Privilege --------------- 21:16
    Command ===>                                                                   
                                                                                   
    Update group privilege using the following options:                            
                                                                                   
    AUTHID  . . . . . . . . : TS7751                       >                       
    Role  . . . . . . . . . : NO                                                   
    Group name  . . . . . . : KWAPP                        >     
    Privilege name  . . . . . READTAB                      > (optional, ? for lookup)                   
    Start timestamp . . . . . 2023-07-19-13.08.30                                  
    End timestamp . . . . . . 2024-07-19-13.08.30     
    Description . . . . . . .                              >                       
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that updates the group privilege.
  4. Submit the job to update the group privilege.
End of change
Start of change

Deleting a group privilege

Before you begin

If the GM - Manage Group Privileges (ADB2ZGGP) panel is not displayed, complete the steps in Managing group privileges for grant management.

About this task

When you delete a group privilege, any pending privileges with REVOKE statements are also deleted. Any pending privileges with GRANT statements remain.

Additionally, when deleting a group privilege, you can choose to revoke the associated privileges that have been granted. In this case, new REVOKE statements are generated, which you can subsequently run.

Procedure

  1. On the GM - Manage Group Privileges (ADB2ZGGP) panel, specify the D line command next to the group privilege that you want to delete, and press Enter.
  2. On the GM - Delete Group Privilege (ADB2ZGRA) panel, specify the privilege that you want to delete, and specify option 1 or 2 to indicate whether you want to revoke the privileges that are associated with the group privilege:
    Figure 5. GM - Delete Group Privilege (ADB2ZGRA) panel
    ADB2ZGRA  -------------- DD1A GM - Delete Group Privilege --------------- 17:50
    Command ===>                                                                   
                                                                                   
    Delete group privilege using the following options:                            
                                                                                   
    AUTHID  . . . . . . . . . TS6462                       >                       
    Role  . . . . . . . . . . NO                             (Yes/No)              
    Group name  . . . . . . . MYAPP1                       > (? for lookup)        
    Privilege name  . . . . . TABPRIV                      > (? for lookup)        
    NOREVOKE  . . . . . . . .                                (Yes/No)              
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that deletes the group privilege.
  4. Submit the job to delete the group privilege.
    Tip: When you return to the GM - Manage Group Privileges (ADB2ZGGP) panel, you might need to issue the REFRESH command to see group privilege removed.
  5. If you chose to also revoke the privileges, you need to run the REVOKE statements:
    1. Return to the Grant Management Menu (ADB2ZGM) panel.
    2. Specify PP, and press Enter.
    3. On the GM - Manage Pending Privileges (ADB2ZGPP) panel, run the REVOKE statements.

      For instructions on running the REVOKE statements in pending privileges, see Running the statements in pending privileges.

      Alternatively, if you no longer want to run these REVOKE statements, you can delete them from the list. See Deleting a pending privilege.

End of change
End of change