Start of change

Managing pending privileges for grant management

In grant management, a pending privilege is a group privilege that has been defined but has not been implemented. Pending privileges are generated by Db2 Admin Tool after you create a group privilege if the relevant group objects exist.

Procedure

To manage pending privileges for grant management:

  1. On the DB2 Administration Menu (ADB2) panel, specify option Z, and press Enter.
  2. On the System Administration (ADB2Z) panel, specify option GM, and press Enter.
  3. On the Grant Management Menu (ADB2ZGM) panel, specify option PP and optionally any filtering criteria and press Enter.
    Figure 1. Grant Management Menu (ADB2ZGM) panel
    ADB2ZGM n ----------------- DD1A Grant Management Menu ------------------ 13:53
    Option ===> PP                                                                     
                                                                                   
                                                             Db2 System: DD1A      
                                                             Db2 SQL ID: ADM001    
                                                                                   
     G - Groups                                 GO - Group objects                 
     P - Privileges                             GP - Group privileges              
     S - SSIDs                                  PP - Pending privileges            
                                                                                   
    Enter standard selection criteria:                                             
     Name  . . . .                            > Creator . . .            >         
     Type  . . . .                              AUTHID  . . .            >         
     Qualifier . .                            > SSID  . . . .                      
     Ends in <=. .                            > (e.g. n DAYS or n MONTHS)          
                                                                                   

    For pending privileges, you can enter filtering criteria in the Name, AUTHID, Creator, SSID, and Ends in fields.

    If no pending privileges are defined (the ADBGMPP table is empty), you have no privileges to manage. You must first add a group privilege.

    Tip: If you have already added a group privilege and still do not see any pending privileges, ensure that you have expanded any generic objects and that the defined group privileges are applicable to your group objects. For example, if your group privilege applies to functions, but your objects include only tables, no pending privileges are generated. For more information, see When pending privileges are generated in grant management.

    Otherwise, the GM - Manage Pending Privileges (ADB2ZGPP) panel displays a list of grant management privileges.

    Figure 2. GM - Manage Pending Privileges (ADB2ZGPP) panel
    ADB2ZGPP  ------------- DD1A GM - Manage Pending Privileges  Row 1 to 13 of 62 
    Command ===>                                                  Scroll ===> PAGE 
                                                                         More: >   
    Commands: CLEANUP  DELETE  RUN  DISFAILED                                      
    Line commands:                                                                 
     C - Cleanup  D - Delete  G - Group  GP - Group privilege  I - Interpret       
     P - Privilege  R - Run  S - SSID  ? - Show all line commands                  
                                                                                   
    Sel AUTHID   R Group Name       Privilege Name   P Statement                   
        *        * *                *                * *                           
    --- -------> - ---------------> ---------------> - --------------------------->
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5772     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
        TS5771     KWAPP            PROCPRIV         Y GRANT EXECUTE ON PROCEDURE "
    Tips:
    • Scroll right to see more columns, such as any error messages that were returned by previous attempts to run the statement in a pending privilege.
    • Use the / line command to view all the details for a particular privilege.
    • To display only those privileges that are pending (meaning that the GRANT or REVOKE statements have not been run), type a Y in the search argument area under the P column:
      
      Sel AUTHID   R Group Name       Privilege Name   P Statement                   
          *        * *                *                Y *                           
      --- -------> - ---------------> ---------------> - --------------------------->
    • To display only those privileges for which the statements were previously run but failed, issue the DISFAILED command. Then use the Run SQL Code and Error Message columns to determine why the privilege failed.
  4. Perform any of the following actions as needed to run or manage your privileges:
Start of change

Running the statements in pending privileges

Before you begin

If the GM - Manage Pending Privileges (ADB2ZGPP) panel is not displayed, complete the steps in Managing pending privileges for grant management.

Procedure

  1. On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the R line command or the RUN primary command.
  2. On the GM - Run Pending Privileges (ADB2ZGPR) panel, specify the appropriate information to identify the privilege or privileges whose statements you want to run:
    Figure 3. GM - Run Pending Privileges (ADB2ZGPR) panel
    ADB2ZGPR  ------------- DD1A GM - Run Pending Privileges ---------------- 19:05
    Command ===>                                                                   
                                                                                   
    Run pending privileges using the following options:                            
                                                                                   
    Group name  . . . . . . . KWAPP            > (? for lookup)                    
    SSID  . . . . . . . . . . DD1A               (? for lookup, blank - all SSIDs) 
    SQLID . . . . . . . . . .                  > (optional)                        
    Preview . . . . . . . . .                    (Yes/No, default is No)           
     As of  . . . . . . . . .                                                      
    Remove  . . . . . . . . .                    (Yes/No, default is No)           
                                                                                   
                                                                                   
                                                                                   
    Important: Any privileges that match the panel criteria (Group name and SSID) are run. If you specified the R line command, these fields are populated based on the privilege that you selected; however, any other privileges that match this criteria are also run.

    Only privileges (GRANT and REVOKE statements) with a start timestamp that is equal to or later than current timestamp are eligible to have their statements run. After a successful run, the privilege will have a status of Pending=N [the P column on GM - Manage Pending Privileges (ADB2ZGPP) panel]. Privileges for which the statements are not run (either they failed or have a future start timestamp) will continue to have a status of Pending=Y.

    Tips:
    • Run this process in preview mode (Preview = YES) to view all of the GRANT (or REVOKE) statements without actually executing them.
    • To clean up (remove) the privileges whose statements are successfully run so that they are no longer listed on the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify Remove = YES.
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that runs the statement or statements in the pending privilege or privileges.
  4. Submit the job to implement the privilege or privileges.
    If you ran in preview mode, you can view the list of GRANT (or REVOKE) statements in the job output, as part of message ADB5800I.
End of change
Start of change

Cleaning up pending privileges

You can clean up the pending privileges list to remove either the privileges whose statements have run successfully or only those privileges whose statements have failed; you specify the cleanup criteria. Those privileges that qualify are deleted from the ADBGMPP table.

The cleanup function can delete only those privileges that are no longer pending (the P column = N) or those that returned an error (the Run SQL Code column > 0 ). To delete privileges that are still pending (the P column = Y), use the delete function; see Deleting a pending privilege.

Before you begin

If the GM - Manage Pending Privileges (ADB2ZGPP) panel is not displayed, complete the steps in Managing pending privileges for grant management.

Procedure

  1. On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the CLEANUP command, and press Enter.
  2. On the GM - Cleanup Pending Privileges (ADB2ZGPR) panel, specify your cleanup criteria:
    Figure 4. GM - Cleanup Pending Privileges (ADB2ZGPR) panel
    ADB2ZGPR  ------------- DD1A GM - Cleanup Pending Privileges ------------ 19:28
    Command ===>                                                                   
                                                                                   
    Cleanup pending privileges using the following options:                        
                                                                                   
    Group name  . . . . . . .                  > (? for lookup)                    
    SSID  . . . . . . . . . .                    (? for lookup, blank - all SSIDs) 
    Failed only . . . . . . .                    (Yes/No, default is No)           
    Preview . . . . . . . . .                    (Yes/No, default is No)           
    Tips:
    • Run the cleanup function in preview mode (Preview = YES) to view the privileges that would be deleted without actually deleting them.
    • Specify Failed only = YES to delete only those privileges that have failed and meet the other specified criteria on this panel. Other privileges remain, regardless of whether they are pending (the P column = Y) or not pending (the P column = N).
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that cleans up the pending privilege or privileges.
  4. Submit the job to clean up the privileges.
    If you ran in preview mode, the privileges that would be deleted are listed in the job output, as part of message ADB5800I.
End of change
Start of change

Deleting a pending privilege

You can delete any pending privileges from the ADBGMPP table. For example, you might decide that you do not want to implement certain GRANT or REVOKE statements.

The delete function can delete only those privileges that are still pending (the P column = Y). To clean up privileges that are no longer pending or have returned errors, use the cleanup function instead; see Cleaning up pending privileges.

Before you begin

If the GM - Manage Pending Privileges (ADB2ZGPP) panel is not displayed, complete the steps in Managing pending privileges for grant management.

Procedure

  1. On the GM - Manage Pending Privileges (ADB2ZGPP) panel, specify the D line command or the DELETE primary command, and press Enter.
  2. On the GM - Delete Pending Privileges (ADB2ZGPR) panel, specify any deletion criteria:
    Figure 5. GM - Delete Pending Privileges (ADB2ZGPR) panel
    ADB2ZGPR  ------------- DD1A GM - Delete Pending Privileges ------------- 19:50
    Command ===>                                                                   
                                                                                   
    Delete pending privileges using the following options:                         
                                                                                   
    Group name  . . . . . . .                  > (? for lookup)                    
    AUTHID  . . . . . . . . .                  > (? for lookup)                    
    Role  . . . . . . . . . .                    (Yes/No)                          
    SSID  . . . . . . . . . .                    (? for lookup, blank - all SSIDs) 
    Preview . . . . . . . . .                    (Yes/No, default is No)           
    Tip: Run the delete function in preview mode (Preview = YES) to view the privileges that would be deleted without actually deleting them.
  3. Press Enter.
    An ADBTEP2 job is generated with an ADMIN GM statement that deletes the pending privilege or privileges.
  4. Submit the job to delete the privileges.
    If you ran in preview mode, the privileges that would be deleted are listed in the job output, as part of message ADB5800I.
End of change
End of change