This
form of the GRANT statement grants the SETSESSIONUSER privilege
to one or more authorization IDs. The privilege allows the holder
to use the SET SESSION AUTHORIZATION statement to set the session
authorization to one of a set of specified authorization IDs.
Invocation
This statement can be embedded
in an application program or issued through the use of dynamic SQL
statements. It is an executable statement that can be dynamically
prepared only if DYNAMICRULES run behavior is in effect for the package
(SQLSTATE 42509).
Authorization
The privileges held by the
authorization ID of the statement must include SECADM authority.
Syntax
.-,------------------------------------.
V |
>>-GRANT SETSESSIONUSER ON----+-USER--session-authorization-name-+-+--TO-->
'-PUBLIC---------------------------'
.-,-----------------------------.
V |
>----+-USER--+--authorization-name-+---------------------------><
'-GROUP-'
Description
- SETSESSIONUSER ON
- Grants the privilege to assume the identity of a new authorization
ID.
- USER session-authorization-name
- Specifies the authorization ID that the authorization-name will
be able to assume, using the SET SESSION AUTHORIZATION statement.
The session-authorization-name must identify
a user, not a group.
- PUBLIC
- Specifies that the grantee will be able to assume any valid authorization
ID, using the SET SESSION AUTHORIZATION statement.
- TO
- Specifies to whom the privilege is granted.
- USER
- Specifies that the authorization-name identifies
a user.
- GROUP
- Specifies that the authorization-name identifies
a group.
- authorization-name,...
- Lists the authorization IDs of one or more users or groups.
The
list of authorization IDs cannot include the authorization ID of the
user issuing the statement (SQLSTATE 42502).
Rules
- For each authorization-name specified, if neither
USER nor GROUP is specified, then:
- If the security plug-in in effect for the instance cannot determine
the status of the authorization-name, an error
is returned (SQLSTATE 56092).
- If the authorization-name is defined according
to the security plug-in in effect as both USER and GROUP, an
error is returned (SQLSTATE 56092).
- If the authorization-name is defined according
to the security plug-in in effect as USER only, or if it is undefined,
USER is assumed.
- If the authorization-name is defined according
to the security plug-in in effect as GROUP only, GROUP is assumed.
Notes
- Privileges granted to a group: A privilege that
is granted to a group is not used for authorization checking on:
- Static DML statements in a package
- A base table while processing a CREATE VIEW statement
- A base table while processing a CREATE TABLE statement for a materialized
query table
- Create SQL routine
- Create trigger
Examples
- Example 1: The following statement grants user PAUL the
ability to set the session authorization to user WALID and therefore
to execute statements as WALID.
GRANT SETSESSIONUSER ON USER WALID
TO USER PAUL
- Example 2: The following statement grants user GUYLAINE
the ability to set the session authorization to user BOBBY. It also
grants her the ability to set the session authorization to users RICK
and KEVIN.
GRANT SETSESSIONUSER ON USER BOBBY, USER RICK, USER KEVIN
TO USER GUYLAINE
- Example 3: The following statement grants user WALID and
everyone in the groups ADMINS and ACCTG the ability to set the session
authorization to any user.
GRANT SETSESSIONUSER ON PUBLIC TO USER WALID, GROUP ADMINS, ACCTG