Authorization

For any form of a query, the privilege set that is defined below must include one of the following:

  • For each table or view identified in the statement, the privilege set must include one of the following:
    • Ownership of the table or view
    • The SELECT privilege on the table or view
    • DBADM authority for the database (tables only)
    If the database is implicitly created, the database privileges must be on the implicit database or on DSNDB04.
  • SYSADM authority
  • SYSCTRL authority (catalog tables only)
  • Start of changeDATAACCESS authorityEnd of change
If a query includes a user-defined function, the privileges that are held by the authorization ID of the statement must include at least one of the following:
  • For each user-defined function that is identified in the statement, one of the following:
    • The EXECUTE privilege on the function
    • Ownership of the function
  • SYSADM authority
  • Start of changeDATAACCESS authorityEnd of change

If the select-statement is part of a DECLARE CURSOR statement, the privilege set is the privileges that are held by the authorization ID of the owner of the plan or package.

If the select-statement contains an SQL data change statement, the privilege set must include the SELECT privilege and the appropriate privileges for the SQL data change statement (insert, update, or delete privileges) on the target table or view.

Start of changeIf the select-statement references a table that contain an active row or column access control, and row permissions or column masks are defined for the table, the authorization ID or role of the statement does not need authority to reference objects that are specified in the definitions of those row permissions or column masks.End of change

For dynamically prepared statements, the privilege set depends on the dynamic SQL statement behavior, which is specified by option DYNAMICRULES:

Run behavior
The privilege set is the union of the privilege sets that are held by each authorization ID of the process.
Bind behavior
The privilege set is the privileges that are held by the authorization ID of the owner of the plan or package.
Define behavior
The privilege set is the privileges that are held by the authorization ID of the owner of the stored procedure or user-defined function.
Invoke behavior
The privilege set is the privileges that are held by the authorization ID of the invoker of the stored procedure or user-defined function.

For a list of the DYNAMICRULES values that specify run, bind, define, or invoke behavior, see Table 1.

When any form of a query is used as a component of another statement, the authorization rules that apply to the query are specified in the description of that statement. For example, see CREATE VIEW for the authorization rules that apply to the subselect component of CREATE VIEW.

If your installation uses the access control authorization exit (DSNX@XAC), that exit might be controlling the authorization rules instead of the rules that are listed here.