Privileges required for using dynamic SQL statements
An ID needs specific privileges to issue dynamic SQL statements.
The
following table lists the IDs and describes the privileges that they
need for issuing each type of SQL statement:
Operation | ID or role | Required privileges |
---|---|---|
GRANT | Current SQL ID or role | Any of the following
privileges:
|
REVOKE | Current SQL ID or role | Must either have granted the privilege that is being revoked, or hold SYSCTRL or SYSADM authority. |
CREATE, for unqualified object name | Current SQL ID or role | Applicable table, database, or schema privilege |
Qualify name of object created | ID or role named as owner | Applicable table or database privilege. The qualifier can be any ID at all and does not need to have any privilege if the current SQL ID or the role (if in a trusted context with the ROLE AS OBJECT OWNER AND QUALIFIER clause specified) has the SYSADM. system DBADM, or SYSCTRL authority (wherever applicable) or the DBADM or DBCTRL authority for the database (wherever applicable). |
Other dynamic SQL if DYNAMICRULES uses run behavior | All primary IDs, role, secondary IDs, and the current SQL ID together | As required by the statement. Unqualified object names are qualified by the value of the special register CURRENT SQLID. |
Other dynamic SQL if DYNAMICRULES uses bind behavior | Plan or package owner | As required by the statement. DYNAMICRULES behavior determines how unqualified object names are qualified. |
Other dynamic SQL if DYNAMICRULES uses define behavior | Function or procedure owner | As required by the statement. DYNAMICRULES behavior determines how unqualified object names are qualified. |
Other dynamic SQL if DYNAMICRULES uses invoke behavior | ID of the SQL statement that invoked the function or procedure or role | As required by the statement. DYNAMICRULES behavior determines how unqualified object names are qualified. |