DB2 Version 9.7 for Linux, UNIX, and Windows

Privileges and authorities required to use import

Privileges enable users to create or access database resources. Authority levels provide a method of grouping privileges and higher-level database manager maintenance and utility operations. Together, these act to control access to the database manager and its database objects.

Users can access only those objects for which they have the appropriate authorization; that is, the required privilege or authority.

With DATAACCESS authority, you can perform any type of import operation. The table below lists the other authorities on each participating table, view or nickname that enable you to perform the corresponding type of import.

Table 1. Authorities required to perform import operations
Mode	Required authority
INSERT	CONTROL or INSERT and SELECT
INSERT_UPDATE	CONTROL or INSERT, SELECT, UPDATE, and DELETE
REPLACE	CONTROL or INSERT, SELECT, and DELETE
REPLACE_CREATE	When the target table exists: CONTROL or INSERT, SELECT, and DELETE When the target table doesn't exist: CREATETAB (on the database), USE (on the table space), and when the schema does not exist: IMPLICIT_SCHEMA (on the database), or when the schema exists: CREATEIN (on the schema)
CREATE	CREATETAB (on the database), USE (on the table space), and when the schema does not exist: IMPLICIT_SCHEMA (on the database), or when the schema exists: CREATEIN (on the schema)

Note: The CREATE and REPLACE_CREATE options of the IMPORT command are deprecated and might be removed in a future release.

As well, to use the REPLACE or REPLACE_CREATE option on a table, the session authorization ID must have the authority to drop the table.

If you want to import to a hierarchy, the required authority also depends on the mode. For existing hierarchies, CONTROL privilege on every subtable in the hierarchy is sufficient for a REPLACE operation. For hierarchies that don't exist, CONTROL privilege on every subtable in the hierarchy, along with CREATETAB and USE, is sufficient for a REPLACE_CREATE operation.

In addition, there a few considerations for importing into tables with label-based access control (LBAC) security labels defined on them. To import data into a table that has protected columns, the session authorization ID must have LBAC credentials that allow write access to all protected columns in the table. To import data into a table that has protected rows, the session authorization ID must have been granted a security label for write access that is part of the security policy protecting the table.