GRANT Physical Database Definition Privileges

Gives one or more users or groups the privilege of issuing DMCL, DBTABLE, and SEGMENT physical DDL statements.
idms19
Gives one or more users or groups the privilege of issuing DMCL, DBTABLE, and SEGMENT physical DDL statements.
GRANT Physical Database Definition Privileges Authorization
To grant a definition privilege on a DMCL or DBTABLE, you must hold one of these privileges:
  • The corresponding grantable privilege
  • DBADMIN on DB SYSTEM
  • SYSADMIN
To grant a physical definition privilege on a database, you must hold one of the following privileges:
  • The corresponding grantable privilege
  • DBADMIN on the specified DB
  • SYSADMIN on the specified DB
You must be connected to the system dictionary when you issue the statement.
GRANT Physical Database Definition Privileges Syntax
►►─── GRANT ─┬─ DEFINE ───────────┬───────────────────────────────────────────►              │ ┌─────── , ──────┐ │              └─▼─┬─ ALTER ────┬─┴─┘                  ├─ CREATE ───┤                  ├─ DISPLAY ──┤                  ├─ DROP ─────┤                  └─ USE ──────┘    ►─── ON ─┬─ DMCL 
dmcl-name
 ───────┬──────────────────────────────────────────►           ├─ DBTABLE 
dbtable-name
 ─┤           └─ DB 
database-name
 ─────┘             ┌─────────────── , ──────────────┐  ►─── TO ─▼─┬─ PUBLIC ───────────────────┬─┴──────────────────────────────────►             └─ 
authorization-identifier
 ─┘    ►─┬─────────────────────┬────────────────────────────────────────────────────►◄    └─ WITH GRANT OPTION ─┘
GRANT Physical Database Definition Privileges Parameters
 
  • DEFINE
    Gives the ALTER, CREATE, DISPLAY, DROP, and USE privileges, as applicable, on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
  • ALTER
    Gives the ALTER privilege on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
    The ALTER privilege on a resource allows a user to modify the definition of the resource. The ALTER privilege on a DMCL or database name table also allows a user to generate a load module from the definition.
  • CREATE
    Gives the CREATE privilege on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
    The CREATE privilege on a resource allows a user to define the resource.
  • DISPLAY
    Gives the DISPLAY privilege on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
    The DISPLAY privilege allows the user to issue a DISPLAY RESOURCE statement on the named resource. The grantable DISPLAY privilege allows a user to issue a DISPLAY PRIVILEGES statement on the named resource.
    The DISPLAY privilege on a DBTABLE resource is required for a user to produce a DBTABLE listing using IDMSRPTS. The DISPLAY privilege on a DMCL resource is required for a user to produce a DMCL listing using IDMSRPTS. The DISPLAY privilege on a DB resource is required for a user to produce a segment listing using IDMSRPTS.
  • DROP
    Gives the DROP privilege on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
    The DROP privilege on a resource allows a user to delete the definition of the resource.
  • USE
    Gives the USE privilege on the resource identified in the ON parameter to the users or groups identified in the TO parameter.
    • DMCL
      -- The USE privilege allows a user to format, print, archive, and fix the journal files defined by the DMCL and punch the DMCL load module.
    • Database name table
      -- The USE privilege allows a user to punch the database name table load module and specify the database name table in the DBTABLE parameter of a DMCL definition.
    • Segment
      -- The USE privilege allows a user to associate the segment with an SQL schema.
  • ON
    Specifies the resource to which the definition privileges apply.
  • DMCL
    dmcl-name
    Identifies a DMCL.
    The scope of a privilege granted on a DMCL resource includes these physical database definition statements:
    • DMCL
    • BUFFER
    • JOURNAL BUFFER
    • ARCHIVE JOURNAL
    • DISK JOURNAL
    • TAPE JOURNAL
    You can wildcard
    dmcl-name
    .
    For more information on wildcarding, see Using a Wildcard.
  • DBTABLE
    dbtable-name
    Identifies a database name table.
    The scope of a privilege granted on a DBTABLE resource includes these physical database definition statements:
    • DBTABLE
    • DBNAME
    You can wildcard
    dbtable-name
    .
    For more information on wildcarding, see Using a Wildcard.
  • DB
    database-name
    Identifies a segment or a name in the database name table.
    The scope of a privilege granted on a DB resource includes these physical database definition statements:
    • SEGMENT
    • FILE
    • AREA
    You can wildcard
    database-name
    .
    For more information on wildcarding, see Using a Wildcard.
  • TO
    Specifies the users or groups to whom you are giving definition privileges.
  • PUBLIC
    Specifies all users.
  • authorization-identifier
    Identifies a user or group.
    Expanded syntax for
    authorization-identifier
    is presented in section Notes on Security Statement Syntax.
  • WITH GRANT OPTION
    Gives the authority to grant the specified definition privileges on the named resource to the users or groups identified in the TO parameter. Only a holder of the applicable DBADMIN privilege or a holder of SYSADMIN privilege can specify WITH GRANT OPTION.
    A privilege granted with the WITH GRANT OPTION is called a grantable privilege.
GRANT Physical Database Definition Privileges Usage
The DEFINE Keyword
When you use the DEFINE keyword with a GRANT statement, you grant a set of definition privileges to one or more users or groups.
When you use the DEFINE keyword with a REVOKE statement, you revoke all of the privileges in the set that have been previously granted to the specified users or groups.
This means that if you GRANT CREATE privilege on a resource, you can revoke the privilege with either a REVOKE CREATE statement or a REVOKE DEFINE statement. Using REVOKE DEFINE is an efficient technique when you intend to revoke all definition privileges from a user or group, whether the privileges were granted singly or as a set.
Similarly, you can GRANT DEFINE on a resource to a user and then REVOKE DROP on the resource from the same user as a way to grant all but one definition privilege.
Security Considerations for IDMSRPTS
If a dictionary named in an IDMSRPTS run has been secured, the user who submits the job must have EXECUTE privilege on the category containing the run unit
dictionary-name
.IDMSNWKG.IDMSRPTS. Additional privileges may be required depending on the reports requested:
Report
Privilege
DBTLST (DBTABLE listing)
DBADMIN on the dictionary or DISPLAY on the DBTABLE
DMCLST (DMCL listing)
DBADMIN on the dictionary or DISPLAY on the DMCL
SEGLST (segment listing)
DBADMIN on the dictionary or DISPLAY on the DB
All other reports
Governed by application dictionary security
For more information, see Securing Application Dictionary Resources.
Granting Privilege to Issue DMCL Statements
The following statement gives the users the privilege to issue DMCL definition statements for DMCL99:
grant define   on dmcl dmcl99   to mike, ryan;
GRANT Physical Database Definition Privileges More Information
For more information on revoking privilege to define physical database resources, see REVOKE Physical Database Definition Privileges.