Privileges determine what a user is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is the user involved with administration of the geodatabase? Does the user need to edit or create data? Would the user only need to query the data?
User privileges are set at different levels. The tables in this topic list the minimum required database and dataset privileges for common types of users: data viewers, data editors, data creators, and the geodatabase administrator.
Privileges for users in geodatabases on DB2 on Linux, UNIX, and Windows are different than those required for geodatabases on DB2 on the IBM z operating system (z/OS). Therefore, there are two different tables of user privileges.
DB2 on Linux, UNIX, and Windows
DB2 grants full privileges to users by default. (In other words, the PUBLIC group is granted CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views.) To remove a database authority, a database administrator must explicitly revoke the database authority from PUBLIC.
If any of these privileges are removed from PUBLIC, they need to be granted to individual users or groups. For example, if CONNECT is revoked from PUBLIC, it needs to be granted to users so they can connect to the database. Similarly, if SELECT on the system catalog views or tables is revoked from PUBLIC, individual users or groups must be granted SELECT on the following or they will not be able to connect to the geodatabase:
- SYSIBM.SYSDUMMY1 (catalog view)
- SYSCAT.ROLEAUTH
- SYSCAT.DBAUTH
- SYSCAT.TABAUTH
Type of user | Database privileges | Dataset privileges | Notes |
---|---|---|---|
Data viewer |
| SELECT on database objects, SELECT on SYSIBM.SYSDUMMY1, SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH | If your database is configured to use shared log file tables (the default), additional privileges may be needed. See Log file table configuration options for more information. The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to execute MON_GET_CONNECTION. |
Data editor |
| CONTROL, ALTER, DELETE, INSERT, SELECT, UPDATE REFERENCES, SELECT on SYSIBM.SYSDUMMY1 SELECT on SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH | If the user will be editing versioned data through a versioned view, the user must be granted SELECT, INSERT, ALTER, and DELETE privileges on the versioned view. When you use the Privileges dialog box in ArcGIS to grant privileges on a versioned feature class, corresponding privileges are also granted on the associated versioned view. The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to execute MON_GET_CONNECTION. |
Data creator |
| CONTROL on database objects, SELECT on SYSIBM.SYSDUMMY1 SELECT on SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH | The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to execute MON_GET_CONNECTION. |
Geodatabase administrator (the sde user) |
| The DBADM authority gives the sde user all privileges against all objects in the database and allows him or her to grant these privileges to others. It is required to create or upgrade a geodatabase. DBADM authority is also necessary to remove client connections from the database. In addition, the sde user must have either SYSCTRL or SYSADM authority to remove client connections from the database. The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the sde user must be able to execute MON_GET_CONNECTION. |
DB2 for z/OS
Security on z/OS is higher than on other platforms. Most privileges are not automatically granted to PUBLIC by default; you need to grant privileges to individual user IDs or groups.
Type of user | Database privileges | Dataset privileges | Notes |
---|---|---|---|
Data viewer | SELECT on user-defined database objects and on the following system tables:
| ||
Data editor | Same as for data viewers plus CONTROL, ALTER, DELETE, INSERT, SELECT, and UPDATE REFERENCES on database objects | ||
Data creator | CREATETAB and CREATETS | Same as for data viewers plus CONTROL on database objects | |
Geodatabase administrator (the sde user) |
| Same as for data viewers |
You can use DB2 tools or SQL statements to administer database privileges.
Privileges on datasets should be granted or revoked by the dataset owner using the Privileges dialog box or Change Privileges geoprocessing tool in ArcGIS for Desktop. See Grant and revoke dataset privileges for instructions.