ALTER PERMISSION
The ALTER PERMISSION statement alters a row permission that exists at the current server.
Invocation
This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is implicitly or explicitly specified.
Authorization
The privilege set that is defined below must include the following authority:
- SECADM authority
Syntax
>>-ALTER PERMISSION--permission-name--+-ENABLE-----+----------->< +-DISABLE----+ '-REGENERATE-'
Description
- permission-name
- Identifies the permission to be altered. The name must identify a row permission that exists at the current server. The name must not identify a default row permission that is created implicitly by DB2®.
- ENABLE
- Specifies that the row permission is to be enabled for row access control. If row access control
is not currently activated for the table, the row permission will become effective when row access
control is activated for the table. Use of this
clause or keyword might invalidate packages that depend on the target object, or packages that
depend on related objects through cascading effects. See Changes that invalidate packages.
A row permission with a regeneration error cannot be enabled. To clear the status of the row permission, the row permission must be dropped and re-created with a modified definition.
ENABLE is ignored if the row permission is already defined as enabled for row access control.
- DISABLE
- Specifies that the row permission is to be disabled for row access control. If row access
control is not currently activated for the table, the row permission will remain ineffective when
row access control is activated for the table. Use of this
clause or keyword might invalidate packages that depend on the target object, or packages that
depend on related objects through cascading effects. See Changes that invalidate packages.
DISABLE is ignored if the row permission is already defined as disabled for row access control.
- REGENERATE
- Specifies that the row permission is to be regenerated. The row permission definition in the catalog is used, and existing authorizations and dependencies, if any, are retained. The user-defined functions that are referenced in the row permission definition must be resolved to the same secure UDFs as that were resolved during the row permission creation.
Notes
- Invalidation of packages:
- This statement might invalidate all packages that depend on target objects, and sometimes other related objects through cascading effects, depending on the clauses and keywords specified and other factors. See Changes that invalidate packages.
- Applying DB2 maintenance:
- When DB2 maintenance is applied that
affects how a row permission is generated, the row permission might need to be regenerated to ensure
the row permission is still valid.
If the row permission is regenerated successfully, the status of the row permission is set to a blank in the catalog table.
If the row permission cannot be regenerated successfully, an error is returned. The regeneration status of the row permission is set to an error. To clear the status of the row permission, the row permission must be dropped and re-created with a modified definition. Or the row permission can be disabled if not disabled yet. A disabled row permission becomes ineffective to a row access control enforced table.
When the table is referenced in a data manipulation statement, the statement returns an error if any enabled row permission has an regeneration error.
Examples
- Example 1:
- Enable permission P1.
ALTER PERMISSION P1 ENABLE;
- Example 2:
- Regenerate permission P1.
ALTER PERMISSION P1 REGENERATE;