GRANT (workload privileges) statement

This form of the GRANT statement grants the USAGE privilege on a workload.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include ACCESSCTRL, SECADM, or WLMADM authority.

Syntax

Read syntax diagramSkip visual syntax diagramGRANTUSAGEONWORKLOAD workload-nameTO ,USERGROUPROLEauthorization-namePUBLIC

Description

USAGE
Grants the privilege to use a workload. Units of work that are submitted by a user will only be mapped to a workload on which the user has USAGE privilege. A user with SYSADM or DBADM authority automatically has USAGE privilege on any workload that exists at the current server.
ON WORKLOAD workload-name
Identifies the workload on which the USAGE privilege is to be granted. This is a one-part name. The workload-name must identify a workload that exists at the current server (SQLSTATE 42704). The name cannot be 'SYSDEFAULTADMWORKLOAD' (SQLSTATE 42832).
TO
Specifies to whom the USAGE privilege is granted.
USER
Specifies that the authorization-name identifies a user.
GROUP
Specifies that the authorization-name identifies a group.
ROLE
Specifies that the authorization-name identifies an existing role at the current server (SQLSTATE 42704).
authorization-name,...
Lists the authorization IDs of one or more users, groups, or roles. The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).
PUBLIC
Grants the USAGE privilege to a set of users (authorization IDs).

Rules

  • For each authorization-name specified, if none of the keywords USER, GROUP, or ROLE is specified:
    • If the security plug-in in effect for the instance cannot determine the status of the authorization-name, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined as ROLE in the database and as either GROUP or USER in the operating system, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined as both USER and GROUP according to the security plug-in in effect, an error is returned (SQLSTATE 56092).
    • If the authorization-name is defined as USER only according to the security plug-in in effect, or if it is undefined, USER is assumed.
    • If the authorization-name is defined as GROUP only according to the security plug-in in effect, GROUP is assumed.
    • If the authorization-name is defined in the database as ROLE only, ROLE is assumed.

Notes

  • The GRANT statement does not take effect until it is committed, even for the connection that issues the statement.
  • If the database is created with the RESTRICT option, the USAGE privilege of the default user workload, SYSDEFAULTUSERWORKLOAD, must be granted explicitly by a user that has DBADM authority. If the database is created without the RESTRICT option, the USAGE privilege of SYSDEFAULTUSERWORKLOAD is granted to PUBLIC at database creation time.

Example

Grant user LISA the ability to use the workload CAMPAIGN.
   GRANT USAGE ON WORKLOAD CAMPAIGN TO USER LISA