Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As an IBM Db2 database administrator, you create groups based on what people need to do in the database, grant privileges to the groups, and add the appropriate users to each group. The tables in this topic list the minimum required privileges for common types of users for which you would create groups: data viewers, data editors, and data creators.
Privileges for Db2 on the IBM z operating system (z/OS) are different than those required for other Db2 implementations. Therefore, there are two different tables of user privileges that describe the minimum privileges needed when you connect from ArcGIS.
Note that these privileges apply to using ArcGIS with a Db2 database. If you need to know the privileges required to use a geodatabase in Db2, see Privileges for geodatabases in Db2.
Db2 on Linux, UNIX, and Windows
Db2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from PUBLIC.
If you revoke any of these privileges from PUBLIC, grant them to individual users or groups. For example, if you revoke CONNECT from PUBLIC, grant CONNECT to specific groups so members can connect to the database. Similarly, if you revoke SELECT on the system catalog views or tables from PUBLIC, you must grant individual users or groups SELECT on the following to allow users to connect.
- SYSIBM.SYSDUMMY1 (catalog view)
- SYSCAT.ROLEAUTH
- SYSCAT.DBAUTH
- SYSCAT.TABAUTH
| Type of user | Required privileges | Purpose |
|---|---|---|
Data viewer |
| These privileges allow the user to connect to the database. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow editors to edit data owned by other users. You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple editor groups and grant the appropriate privileges to each. For example, you might have a full_edit group that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit. |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create and own tables and feature classes in the database. |
*To edit data from ArcGIS, publish the data as a feature service that has editing capabilities enabled.
Db2 for z/OS
Security on z/OS is higher than on other platforms. Most privileges are not automatically granted to PUBLIC by default; you need to grant privileges to individual user IDs or groups.
ArcGIS does not support editing data in Db2 for z/OS databases; therefore, only data viewer and data creator privileges are listed here.
| Type of user | Required privileges | Purpose |
|---|---|---|
Data viewer | SELECT on the following system tables:
| These privileges allow the user to access data. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. | |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create and own tables and feature classes in the database. |