User privileges for geodatabases in DB2

The tables in this topic list the minimum required database privileges for common types of users: data viewers, data editors, data creators, and the geodatabase administrator.

Privileges for users in geodatabases on DB2 on Linux, UNIX, and Windows are different than those required forgeodatabases on DB2 on the IBM z operating system (z/OS). Therefore, there are two different tables of user privileges.

DB2 on Linux, UNIX, and Windows

DB2 grants full privileges to users by default. (In other words, the PUBLIC group is granted CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views.) To remove a database authority, a database administrator must explicitly revoke the database authority from PUBLIC.

If any of these privileges are removed from PUBLIC, they need to be granted to individual users or groups. For example, if CONNECT is revoked from PUBLIC, it needs to be granted to users so they can connect to the database. Similarly, if SELECT on the system catalog views or tables is revoked from PUBLIC, individual users or groups must be granted SELECT on the following or they will not be able to connect to the geodatabase:

Type of user

Database privileges

Dataset privileges

Notes

Data viewer

  • CONNECT to database
  • If the user will connect to data through a feature service, add the user to an operating system group and grant SYSMON authority to the group.

SELECT on database objects, SELECT on SYSIBM.SYSDUMMY1, SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH

If your database is configured to use shared ArcSDE log file tables (the default), additional privileges may be needed. See Log file table configuration options for more information.

Data editor

  • CONNECT to database
  • CREATEIN, ALTERIN, and DROPIN for the necessary schema
  • If the user will connect to data through a feature service, add the user to an operating system group and grant SYSMON authority to the group.

CONTROL, ALTER, DELETE, INSERT, SELECT, UPDATE REFERENCES, SELECT on SYSIBM.SYSDUMMY1

SELECT on SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH

If the user will be editing versioned data through a versioned view, the user must be granted SELECT, INSERT, ALTER, and DELETE privileges on the versioned view. When you use the Privileges dialog box in ArcGIS to grant privileges on a versioned feature class, corresponding privileges are also granted on the associated versioned view.

Data creator

  • CONNECT to database
  • CREATETAB in database
  • CREATEIN, ALTERIN, and DROPIN for the necessary schema
  • If the user will connect to data through a feature service, add the user to an operating system group and grant SYSMON authority to the group.

CONTROL on database objects, SELECT on SYSIBM.SYSDUMMY1

SELECT on SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH

Geodatabase administrator

  • DBADM authority
  • SYSMON authority

    Add the geodatabase administrator user to an operating system group and grant SYSMON to the group.

  • SYSCTRL or SYSADM authority

The SYSMON authority is needed to access the DB2 snapshot API, which is required to clean out defunct ArcSDE processes from the PROCESS_INFORMATION system table. The SYSMON authorit is also required to create or upgrade a geodatabase.

The DBADM authority gives the geodatabase administrator all privileges against all objects in the database and allows him or her to grant these privileges to others. It is required to create or upgrade a geodatabase.

DBADM authority is also necessary to remove client connections from the database. In addition, the geodatabase administrator must have either SYSCTRL or SYSADM authority to remove client connections from the database.

DB2 for z/OS

Security on z/OS is higher than on other platforms. Most privileges are not automatically granted to PUBLIC by default; you need to grant privileges to individual user IDs or groups.

Type of user

Database privileges

Dataset privileges

Notes

Data viewer

SELECT on user-defined database objects and on the following system tables:

  • SYSIBM.SYSTABAUTH
  • SYSIBM.SYSDBAUTH
  • SYSIBM.SYSROUTINES
  • SYSIBM.SYSTABCONST
  • SYSIBM.SYSINDEXES
  • SYSIBM.SYSKEYS
  • SYSIBM.SYSCOLUMNS
  • SYSIBM.SYSCHECKS
  • SYSIBM.SYSSCHEMAAUTH
  • SYSIBM.SYSTABLES
  • SYSIBM.SYSSEQUENCES
  • SYSIBM.SYSDUMMY1

Data editor

Same as for data viewers plus CONTROL, ALTER, DELETE, INSERT, SELECT, UPDATE REFERENCES on database objects

Data creator

CREATETAB and CREATETS

Same as for data viewers plus CONTROL on database objects

Geodatabase administrator

  • BINDADD
  • CREATE ON COLLECTION SDE
  • DBADM

Same as for data viewers

DB2 z/OS privileges

You can use DB2 Control Center to administer user privileges. Or you can use SQL statements to grant and revoke privileges.

Dataset privileges should be granted or revoked by the dataset owner using the Privileges dialog box or Change Privileges geoprocessing tool, which is available in ArcGIS for Desktop. See Granting and revoking privileges on datasets and Change Privileges for instructions.

Related Topics

11/6/2014