SQL Reference

Authorization IDs and authorization-names

An authorization ID is a character string that is obtained by the database manager when a connection is established between the database manager and either an application process or a program preparation process. It designates a set of privileges. It may also designate a user or a group of users, but this property is not controlled by the database manager.

Authorization IDs are used by the database manager to provide:

Authorization checking of SQL statements
Default value for the QUALIFIER precompile/bind option and the CURRENT SCHEMA special register. Also, the authorization ID is included in the default CURRENT PATH special register and FUNCPATH precompile/bind option.

An authorization ID applies to every SQL statement. The authorization ID that applies to a static SQL statement is the authorization ID that is used during program binding. The authorization ID that applies to a dynamic SQL statement is based on the DYNAMICRULES option supplied at bind time for the package issuing the dynamic SQL statement. For a package bound with DYNAMICRULES RUN, the authorization ID used is the authorization ID of the user executing the package. For a package bound with DYNAMICRULES BIND, the authorization ID used is the authorization ID of the package. This is called the run-time authorization ID.

An authorization-name specified in an SQL statement should not be confused with the authorization ID of the statement. An authorization-name is an identifier that is used within various SQL statement. An authorization-name is used in a CREATE SCHEMA statement to designate the owner of the schema. An authorization-name is used in GRANT and REVOKE statements to designate a target of the grant or revoke. Note that the premise of a grant of privileges to X is that X or a member of the group X will subsequently be the authorization ID of statements which require those privileges.

Examples:

Assume SMITH is the userid and the authorization ID that the database manager obtained when the connection was established with the application process. The following statement is executed interactively:
```
   GRANT SELECT ON TDEPT TO KEENE
```
SMITH is the authorization ID of the statement. Hence, in a dynamic SQL statement the default value of the CURRENT SCHEMA special register and in static SQL the default QUALIFIER precomiple/bind option is SMITH. Thus, the authority to execute the statement is checked against SMITH and SMITH is the table-name implicit qualifier based on qualification rules described in Naming Conventions and Implicit Object Name Qualifications.
KEENE is an authorization-name specified in the statement. KEENE is given the SELECT privilege on SMITH.TDEPT.
Assume SMITH has administrative authority and is the authorization ID of the following dynamic SQL statements with no SET SCHEMA statement issued during the session:
```
   DROP TABLE TDEPT
```
Removes the SMITH.TDEPT table.
```
   DROP TABLE SMITH.TDEPT
```
Removes the SMITH.TDEPT table.
```
   DROP TABLE KEENE.TDEPT
```
Removes the KEENE.TDEPT table. Note that KEENE.TDEPT and SMITH.TDEPT are different tables.
```
   CREATE SCHEMA PAYROLL AUTHORIZATION KEENE
```
KEENE is the authorization-name specified in the statement which creates a schema called PAYROLL. KEENE is the owner of the schema PAYROLL and is given CREATEIN, ALTERIN, and DROPIN privileges with the ability to grant them to others.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

[ DB2 List of Books | Search the DB2 Books ]