Database-Level Privileges

Home | Previous Page | Next Page Managing Databases > Granting and Limiting Access to Your Database > Granting Privileges >

Database-Level Privileges

The three levels of database privileges provide an overall means of controlling who accesses a database.

Connect Privilege

The least of the privilege levels is Connect, which gives a user the basic ability to query and modify tables. Users with the Connect privilege can perform the following functions:

Execute the SELECT, INSERT, UPDATE, and DELETE statements, provided that they have the necessary table-level privileges.
Execute an SPL routine, provided that they have the necessary table-level privileges.
Create views, provided that they are permitted to query the tables on which the views are based.
Create temporary tables and create indexes on the temporary tables.

Before users can access a database, they must have the Connect privilege. Ordinarily, in a database that does not contain highly sensitive or private data, you give the GRANT CONNECT TO PUBLIC privilege shortly after you create the database.

If you do not grant the Connect privilege to public, the only users who can access the database through the database server are those to whom you specifically grant the Connect privilege. If limited users should have access, this privilege lets you provide it to them and deny it to all others.

Users and the Public

Privileges are granted to single users by name or to all users under the name of public. Any privileges granted to public serve as default privileges.

Prior to executing a statement, the database server determines whether a user has the necessary privileges. The information is in the system catalog. For more information, see Privileges in the System Catalog Tables.

The database server looks first for privileges that are granted specifically to the requesting user. If it finds such a grant, it uses that information. It then checks to see if less restrictive privileges were granted to public. If they were, the database server uses the less restrictive privileges. If no grant has been made to that user, the database server looks for privileges granted to public. If it finds a relevant privilege, it uses that one.

Thus, to set a minimum level of privilege for all users, grant privileges to public. You can override that, in specific cases, by granting higher individual privileges to users.

Resource Privilege

The Resource privilege carries the same authorization as the Connect privilege. In addition, users with the Resource privilege can create new, permanent tables, indexes, and SPL routines, thus permanently allocating disk space.

Database-Administrator Privilege

The highest level of database privilege is database administrator, or DBA. When you create a database, you are automatically the DBA. Holders of the DBA privilege can perform the following functions:

Execute the DROP DATABASE, START DATABASE, and ROLLFORWARD DATABASE statements.
Drop or alter any object regardless of who owns it.
Create tables, views, and indexes to be owned by other users.
Grant database privileges, including the DBA privilege, to another user.
Alter the NEXT SIZE (but no other attribute) of the system catalog tables, and insert, delete, or update rows of any system catalog table except systables.

Warning:

Although users with the DBA privilege can modify most system catalog tables, it is strongly recommended that you do not update, delete, or insert any rows in them. Modifying the system catalog tables can destroy the integrity of the database. You cannot use the ALTER TABLE statement to modify the size of the next extent of system catalog tables.