Managing pending privileges for grant management
In grant management, a pending privilege is a group privilege that has been defined but has not been implemented. Pending privileges are generated by Db2 Admin Tool after you create a group privilege if the relevant group objects exist.
Procedure
To manage pending privileges for grant management:
- On the DB2 Administration Menu (ADB2) panel, specify option Z, and press Enter.
- On the System Administration (ADB2Z) panel, specify option GM, and press Enter.
-
On the Grant Management Menu
(ADB2ZGM) panel, specify option
PP and optionally any filtering criteria and press
Enter.
Figure 1. Grant Management Menu (ADB2ZGM) panel ADB2ZGM n ----------------- DD1A Grant Management Menu ------------------ 13:53 Option ===> PP Db2 System: DD1A Db2 SQL ID: ADM001 G - Groups GO - Group objects P - Privileges GP - Group privileges S - SSIDs PP - Pending privileges Enter standard selection criteria: Name . . . . > Creator . . . > Type . . . . AUTHID . . . > Qualifier . . > SSID . . . . Ends in <=. . > (e.g. n DAYS or n MONTHS)For pending privileges, you can enter filtering criteria in the Name, AUTHID, Creator, SSID, and Ends in fields.
If no pending privileges are defined (the ADBGMPP table is empty), you have no privileges to manage. You must first add a group privilege.
Tip: If you have already added a group privilege and still do not see any pending privileges, ensure that you have expanded any generic objects and that the defined group privileges are applicable to your group objects. For example, if your group privilege applies to functions, but your objects include only tables, no pending privileges are generated. For more information, see When pending privileges are generated in grant management.Otherwise, the GM - Manage Pending Privileges (ADB2ZGPP) panel displays a list of grant management privileges.
Figure 2. GM - Manage Pending Privileges (ADB2ZGPP) panel ADB2ZGPP ------------- DD1A GM - Manage Pending Privileges Row 1 to 13 of 62 Command ===> Scroll ===> PAGE More: > Commands: CLEANUP DELETE RUN DISFAILED Line commands: C - Cleanup D - Delete G - Group GP - Group privilege I - Interpret P - Privilege R - Run S - SSID ? - Show all line commands Sel AUTHID R Group Name Privilege Name P Statement * * * * * * --- -------> - ---------------> ---------------> - ---------------------------> TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5772 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE " TS5771 KWAPP PROCPRIV Y GRANT EXECUTE ON PROCEDURE "Tips:- Scroll right to see more columns, such as any error messages that were returned by previous attempts to run the statement in a pending privilege.
- Use the / line command to view all the details for a particular privilege.
- To display only those privileges that are pending (meaning that the
GRANT or REVOKE statements have not been run), type a
Y in the search argument area under the
P column:
Sel AUTHID R Group Name Privilege Name P Statement * * * * Y * --- -------> - ---------------> ---------------> - ---------------------------> - To display only those privileges for which the statements were previously run but failed, issue the DISFAILED command. Then use the Run SQL Code and Error Message columns to determine why the privilege failed.
- Perform any of the following actions as needed to run or manage your privileges:
Running the statements in pending privileges
Before you begin
Procedure
- On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the R line command or the RUN primary command.
-
On the GM - Run Pending Privileges
(ADB2ZGPR) panel,
specify the appropriate information to identify the privilege or privileges
whose statements you want to run:
Figure 3. GM - Run Pending Privileges (ADB2ZGPR) panel ADB2ZGPR ------------- DD1A GM - Run Pending Privileges ---------------- 19:05 Command ===> Run pending privileges using the following options: Group name . . . . . . . KWAPP > (? for lookup) SSID . . . . . . . . . . DD1A (? for lookup, blank - all SSIDs) SQLID . . . . . . . . . . > (optional) Preview . . . . . . . . . (Yes/No, default is No) As of . . . . . . . . . Remove . . . . . . . . . (Yes/No, default is No)Important: Any privileges that match the panel criteria (Group name and SSID) are run. If you specified the R line command, these fields are populated based on the privilege that you selected; however, any other privileges that match this criteria are also run.Only privileges (GRANT and REVOKE statements) with a start timestamp that is equal to or later than current timestamp are eligible to have their statements run. After a successful run, the privilege will have a status of Pending=N [the P column on GM - Manage Pending Privileges (ADB2ZGPP) panel]. Privileges for which the statements are not run (either they failed or have a future start timestamp) will continue to have a status of Pending=Y.
Tips:- Run this process in preview mode (Preview = YES) to view all of the GRANT (or REVOKE) statements without actually executing them.
- To clean up (remove) the privileges whose statements are successfully run so that they are no longer listed on the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify Remove = YES.
-
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that runs the statement or statements in the pending privilege or privileges.
-
Submit the job to implement the privilege or privileges.
If you ran in preview mode, you can view the list of GRANT (or REVOKE) statements in the job output, as part of message ADB5800I.
Cleaning up pending privileges
You can clean up the pending privileges list to remove either the privileges whose statements have run successfully or only those privileges whose statements have failed; you specify the cleanup criteria. Those privileges that qualify are deleted from the ADBGMPP table.
The cleanup function can delete only those privileges that are no longer pending (the P column = N) or those that returned an error (the Run SQL Code column > 0 ). To delete privileges that are still pending (the P column = Y), use the delete function; see Deleting a pending privilege.
Before you begin
Procedure
- On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the CLEANUP command, and press Enter.
-
On the GM - Cleanup Pending Privileges
(ADB2ZGPR) panel, specify
your cleanup criteria:
Figure 4. GM - Cleanup Pending Privileges (ADB2ZGPR) panel ADB2ZGPR ------------- DD1A GM - Cleanup Pending Privileges ------------ 19:28 Command ===> Cleanup pending privileges using the following options: Group name . . . . . . . > (? for lookup) SSID . . . . . . . . . . (? for lookup, blank - all SSIDs) Failed only . . . . . . . (Yes/No, default is No) Preview . . . . . . . . . (Yes/No, default is No)Tips:- Run the cleanup function in preview mode (Preview = YES) to view the privileges that would be deleted without actually deleting them.
- Specify Failed only = YES to delete only those privileges that have failed and meet the other specified criteria on this panel. Other privileges remain, regardless of whether they are pending (the P column = Y) or not pending (the P column = N).
-
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that cleans up the pending privilege or privileges.
-
Submit the job to clean up the privileges.
If you ran in preview mode, the privileges that would be deleted are listed in the job output, as part of message ADB5800I.
Deleting a pending privilege
You can delete any pending privileges from the ADBGMPP table. For example, you might decide that you do not want to implement certain GRANT or REVOKE statements.
The delete function can delete only those privileges that are still pending (the P column = Y). To clean up privileges that are no longer pending or have returned errors, use the cleanup function instead; see Cleaning up pending privileges.
Before you begin
Procedure
- On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the D line command or the DELETE primary command, and press Enter.
-
On the GM - Delete Pending
Privileges (ADB2ZGPR) panel,
specify any deletion criteria:
Figure 5. GM - Delete Pending Privileges (ADB2ZGPR) panel ADB2ZGPR ------------- DD1A GM - Delete Pending Privileges ------------- 19:50 Command ===> Delete pending privileges using the following options: Group name . . . . . . . > (? for lookup) AUTHID . . . . . . . . . > (? for lookup) Role . . . . . . . . . . (Yes/No) SSID . . . . . . . . . . (? for lookup, blank - all SSIDs) Preview . . . . . . . . . (Yes/No, default is No)Tip: Run the delete function in preview mode (Preview = YES) to view the privileges that would be deleted without actually deleting them. -
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that deletes the pending privilege or privileges.
-
Submit the job to delete the privileges.
If you ran in preview mode, the privileges that would be deleted are listed in the job output, as part of message ADB5800I.