In grant management, a pending privilege is a group privilege that has
been defined but has not been implemented. Pending privileges are generated by Db2 Admin Tool after you create a group
privilege if the relevant group objects exist.
Procedure
To manage pending privileges for grant management:
On the DB2 Administration Menu
(ADB2) panel, specify
option Z, and press Enter.
On the System Administration
(ADB2Z) panel, specify option
GM, and press Enter.
On the Grant Management Menu
(ADB2ZGM) panel, specify option
PP and optionally any filtering criteria and press
Enter.
For pending privileges, you can enter filtering criteria in the
Name, AUTHID,
Creator, SSID, and
Ends in fields.
If no pending privileges are defined (the ADBGMPP table is empty), you have
no privileges to manage. You must first add a group
privilege.
Tip: If you have already added a group privilege and still do not
see any pending privileges, ensure that you have expanded any generic
objects and that the defined group privileges are applicable to your group
objects. For example, if your group privilege applies to functions, but your
objects include only tables, no pending privileges are generated. For more
information, see When pending privileges are generated in grant management.
Otherwise, the GM - Manage Pending
Privileges (ADB2ZGPP) panel displays
a list of grant management privileges.
Tips:
Scroll right to see more columns, such as any error messages that
were returned by previous attempts to run the statement in a pending
privilege.
Use the / line command to view all the details for a particular
privilege.
To display only those privileges that are pending (meaning that the
GRANT or REVOKE statements have not been run), type a
Y in the search argument area under the
P column:
Sel AUTHID R Group Name Privilege Name P Statement
* * * * Y *
--- -------> - ---------------> ---------------> - --------------------------->
To display only those privileges for which the statements were
previously run but failed, issue the DISFAILED command. Then use the
Run SQL Code and Error
Message columns to determine why the privilege
failed.
Perform any of the following actions as needed to run or manage your
privileges:
On the GM - Manage Pending
Privileges (ADB2ZGPP) panel,
specify the R line command or the
RUN primary command.
On the GM - Run Pending Privileges
(ADB2ZGPR) panel,
specify the appropriate information to identify the privilege or privileges
whose statements you want to run:
Important: Any privileges that match the panel criteria (Group
name and SSID) are run. If you specified the R line command, these
fields are populated based on the privilege that you selected; however,
any other privileges that match this criteria are also run.
Only privileges (GRANT and REVOKE statements) with a start timestamp that
is equal to or later than current timestamp are eligible to have their
statements run. After a successful run, the privilege will have a status
of Pending=N [the P column on GM - Manage Pending
Privileges (ADB2ZGPP) panel].
Privileges for which the statements are not run (either they failed or
have a future start timestamp) will continue to have a status of
Pending=Y.
Tips:
Run this process in preview mode (Preview
= YES) to view all of the GRANT (or
REVOKE) statements without actually executing them.
To clean up (remove) the privileges whose statements are
successfully run so that they are no longer listed on the GM - Manage Pending
Privileges (ADB2ZGPP) panel, specify Remove =
YES.
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that runs the
statement or statements in the pending privilege or privileges.
Submit the job to implement the privilege or privileges.
If you ran in preview mode, you can view the list of GRANT (or REVOKE)
statements in the job output, as part of message ADB5800I.
Cleaning up pending privileges
You can clean up the pending privileges list to remove either the privileges
whose statements have run successfully or only those privileges whose statements
have failed; you specify the cleanup criteria. Those privileges that qualify are
deleted from the ADBGMPP table.
The cleanup function can delete only those privileges that are no longer pending (the
P column = N) or those that
returned an error (the Run SQL Code column > 0 ). To delete
privileges that are still pending (the P column =
Y), use the delete function; see Deleting a pending privilege.
On the GM - Manage Pending
Privileges (ADB2ZGPP) panel,
specify the CLEANUP command, and press Enter.
On the GM - Cleanup Pending Privileges
(ADB2ZGPR) panel, specify
your cleanup criteria:
Tips:
Run the cleanup function in preview mode
(Preview =
YES) to view the privileges that would be
deleted without actually deleting them.
Specify Failed only =
YES to delete only those privileges
that have failed and meet the other specified criteria on this
panel. Other privileges remain, regardless of whether they are
pending (the P column =
Y) or not pending (the
P column =
N).
Press Enter.
An ADBTEP2 job is generated with an ADMIN GM statement that cleans
up the pending privilege or privileges.
Submit the job to clean up the privileges.
If you ran in preview mode, the privileges that would be deleted are
listed in the job output, as part of message ADB5800I.
Deleting a pending privilege
You can delete any pending privileges from the ADBGMPP table. For example,
you might decide that you do not want to implement certain GRANT or REVOKE
statements.
The delete function can delete only those privileges that are still pending (the
P column = Y). To clean up
privileges that are no longer pending or have returned errors, use the cleanup
function instead; see Cleaning up pending privileges.