473,746 Members | 2,731 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Able to alter or drop a table but cannot create the table, when no permissions are given to that user

Hi,

I have a user UCLDEV1 which is a part of staff and a
group(db2schema grp1) to which i have not given any permissions.

The authorizations of that user are shown as

db2 =get authorizations

Administrative Authorizations for Current User

Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL _ROUTINE authority = NO
Direct SYSMON authority = NO

Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL _ROUTINE authority = NO
Indirect SYSMON authority = NO

db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504

What could be the reason for it?

Thanks a lot.

Rahul

Sep 4 '07 #1
3 6682
Rahul B wrote:
Hi,

I have a user UCLDEV1 which is a part of staff and a
group(db2schema grp1) to which i have not given any permissions.

The authorizations of that user are shown as

db2 =get authorizations

Administrative Authorizations for Current User

Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL _ROUTINE authority = NO
Direct SYSMON authority = NO

Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL _ROUTINE authority = NO
Indirect SYSMON authority = NO

db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504

What could be the reason for it?
Could it be UCLDEV1 was the owner of the altered/dropped table?
The user could have either created the table before the create privilege
was taken away, or the user could have received ownership through
TRANSFER OWNER.

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Sep 4 '07 #2
On Sep 4, 5:57 pm, Serge Rielau <srie...@ca.ibm .comwrote:
Rahul B wrote:
Hi,
I have a user UCLDEV1 which is a part of staff and a
group(db2schema grp1) to which i have not given any permissions.
The authorizations of that user are shown as
db2 =get authorizations
Administrative Authorizations for Current User
Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL _ROUTINE authority = NO
Direct SYSMON authority = NO
Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL _ROUTINE authority = NO
Indirect SYSMON authority = NO
db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504
What could be the reason for it?

Could it be UCLDEV1 was the owner of the altered/dropped table?
The user could have either created the table before the create privilege
was taken away, or the user could have received ownership through
TRANSFER OWNER.

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Exactly Serge,

UCLDEV1 was the owner of the tables when i created.
So, i'll need to do a "Transfer Ownership" command.
A few more things.

1. If i use the TRANSFER OWNERSHIP Statement, what are the possible
problems that could come up(I am asking it to find out whether or not
some tables will go a pending state or any other problems that could
come, so that i can beforehand find out how much(if any) work i'll
need to be done after the transfer ownership)

2. Currently, ucldev1 cannot do a select, insert etc on tables created
by the admin user. So, whenever i create a table in UCLDEV1 through
admin, i need to give select, insert, update privs to UCLDEV1. Also,
will the other database objects like functions, procedures also
require some permissions to be accessed/called.
Is there some way that i can give the DML permissions of all objects
in schema UCLDEV1 to UCLDEV1.

3. I would also like to find out if it is possible to track DDL
statements on schema UCLDEV1 by any user.
I thought there could be some "BEFORE ALTER IN ON SCHEMA" clause on
trigger.
P.S. I am quite reluctant to use the TRANSFER OWNERSHIP Statement
without a prior knowledge of what problems could come up because i
could end up making a number of people wait while i try to sort out
the problems.

Thanks a lot.

Rahul
Sep 4 '07 #3
Rahul B wrote:
1. If i use the TRANSFER OWNERSHIP Statement, what are the possible
problems that could come up(I am asking it to find out whether or not
some tables will go a pending state or any other problems that could
come, so that i can beforehand find out how much(if any) work i'll
need to be done after the transfer ownership)
For tables there are very few things that could go wrong.
Essentially the new owner has to be able to "handle" the new object.
In case of a table I'd think the owner needs to have access to any UDF
used in the tables check constraints or generated columns. RI
constraints would be another topic.

Things get more interesting when you transfer the ownership of routines
or views since they typically reference all sorts of other objects to
which the new owner needs access.
2. Currently, ucldev1 cannot do a select, insert etc on tables created
by the admin user. So, whenever i create a table in UCLDEV1 through
admin, i need to give select, insert, update privs to UCLDEV1. Also,
will the other database objects like functions, procedures also
require some permissions to be accessed/called.
Is there some way that i can give the DML permissions of all objects
in schema UCLDEV1 to UCLDEV1.
I don't think so. What you can do is grant DML privileges to a group (or
role in DB2 Viper 2). As long as UCLDEV1 is part of the group or role it
can perform the actions.
I do wonder whether you may be able to take a different approach.
DB2 has a variation of the unix "su" command which allows an
administrator to do DDL on someone else's behalf.
Take a look at SET SESSION USER:
http://publib.boulder.ibm.com/infoce...c/r0011139.htm

I think (never tried myself) you will then find that the DEFINER of the
object will be the administrator, but the OWNER will be UCLDEV1.
3. I would also like to find out if it is possible to track DDL
statements on schema UCLDEV1 by any user.
I thought there could be some "BEFORE ALTER IN ON SCHEMA" clause on
trigger.
DB2 has auditing capabilities. These have been greatly improved in Db2
Viper 2. There are no DDL triggers.
P.S. I am quite reluctant to use the TRANSFER OWNERSHIP Statement
without a prior knowledge of what problems could come up because i
could end up making a number of people wait while i try to sort out
the problems.
Fair enough.

Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Sep 4 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
2118
by: Peter Gorelczenko | last post by:
Good Morning, I'm running Alpha 4.1 on Linux. I'm new to MySql but familliar with othe= r=20 databases. I set up a user with "Create Temporary Tables" permissions. = That=20 user can create temp tables but can not alter or update the table. That= =20 user is getting "Update command denied to user..." for the temp table. = They=20 also get this error when an alter table is executed. Doesn't the user ha=
1
11495
by: Lannsjo | last post by:
I need to change my primary key column type from smallint to int. I have tried: ALTER TABLE livegroup MODIFY id INT UNSIGNED NOT NULL AUTO_INCREMENT; But get an error message certainly since my id-column is primary key and references other tables as well. How can I come around this problem? Need help /Martin
10
26138
by: BuddhaBuddy | last post by:
Platform is DB2/NT 7.2.9 The table was created like this: CREATE TABLE MYTEST ( MYTESTOID bigint not null primary key, FK_OTHEROID bigint not null references other, FK_ANOTHEROID bigint not null references another, FK_LASTLYOID bigint not null references lastly, unique (FK_OTHEROID,FK_ANOTHEROID))
3
10690
by: teedilo | last post by:
Our MS SQL (SQL Server 2000) DBA has database privileges locked down pretty tightly. We end users/developers do not have administrator privileges for most databases. That arrangement has worked out OK for the most part. However, it's a bit aggravating that we can't even create our own database diagrams. When we attempt to do so (in Enterprise Manager), we get a dialog that says "You do not have sufficient privilege to create a new...
4
23834
by: Brian Wotherspoon | last post by:
Hi all, I'm using SQL Server 2000 SP3 to store data for real time transaction processing. I have set up replication to another server using a push subscription to give me immediate backup. I need to alter the data type of one of the columns and am using the following basic sql:
7
6990
by: Serge Rielau | last post by:
Hi all, Following Ian's passionate postings on problems with ALTOBJ and the alter table wizard in the control center I'll try to explain how to use ALTOBJ with this thread. I'm not going to get into the GUI because it is hard to describe in text. First of all what is the purpose of ALTOBJ()? This procedure was created mostly for ISVs who need to do produce change scripts to upgrade application from release to release, but it can also
1
3515
by: vasilip | last post by:
I'm testing out db2 for a project I'm starting that requires proper xml support and I can't seem to get both xml and spatial data to work well in the same table. Once having created a table containing both xml and spatial data fields I can't seem to find a way to alter the table I have created a table containing an id, xmldata field and a ST_Point If I try to drop the xml field with ALTER TABLE TEST DROP COLUMN
6
7712
by: Peter Nurse | last post by:
For reasons that are not relevant (though I explain them below *), I want, for all my users whatever privelige level, an SP which creates and inserts into a temporary table and then another SP which reads and drops the same temporary table. My users are not able to create dbo tables (eg dbo.tblTest), but are permitted to create tables under their own user (eg MyUser.tblTest). I have found that I can achieve my aim by using code like...
0
2249
by: Eric Isaacs | last post by:
Optional Create and Alter is nice because it fails, the original is still in place as are the original permissions. Drop and create is also valid in some cases if you want to clear/reset the permissions. I use an approach which lets me choose which one I want to implement on the fly. If I remove the first two dashes, the drop is disabled and it creates only if it doesn't already exist. Otherwise it drops, creates a filler sproc, and...
0
8800
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9350
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9285
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9218
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6772
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4586
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3292
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2765
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2199
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.