Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As an IBM DB2 database administrator, you create groups based on what people need to do in the database, grant privileges to the groups, and add the appropriate users to each group. The tables in this topic list the minimum required privileges for common types of users for which you would create groups: data viewers, data editors, and data creators.
Privileges for DB2 on Linux, UNIX, and Windows are different than those required for DB2 on the IBM z operating system (z/OS). Therefore, there are two different tables of user privileges that describe the minimum privileges needed when you connect from ArcGIS.
Note that these privileges apply to using ArcGIS with a DB2 database. If you need to know the privileges required to use a geodatabase in DB2, see Privileges for geodatabases in DB2.
DB2 on Linux, UNIX, and Windows
DB2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from PUBLIC.
If any of these privileges are removed from PUBLIC, they need to be granted to individual users or groups. For example, if CONNECT is revoked from PUBLIC, it needs to be granted to users so they can connect to the database. Similarly, if SELECT on the system catalog views or tables is revoked from PUBLIC, individual users or groups must be granted SELECT on the following or they will not be able to connect.
- SYSIBM.SYSDUMMY1 (catalog view)
- SYSCAT.ROLEAUTH
- SYSCAT.DBAUTH
- SYSCAT.TABAUTH
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer |
| These privileges allow the user to connect to the database. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow editors to edit data owned by other users. Grant whichever types of editing privileges the editor will require. |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create and own tables and feature classes in the database. |
*You can edit data published to a feature service that has editing capabilities enabled.
DB2 for z/OS
Security on z/OS is higher than on other platforms. Most privileges are not automatically granted to PUBLIC by default; you need to grant privileges to individual user IDs or groups.
ArcGIS does not support editing data in DB2 for z/OS databases; therefore, only data viewer and data creator privileges are listed here.
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer | SELECT on the following system tables:
| These privileges allow the user to access data. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. | |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create and own tables and feature classes in the database. |