Thanks for providing the useful informatin to help me understand the DB2
design.
More questions:
1. How do you grant/assign a schema to a group so that every user in that
group has access to the objects in that schema?
2. When a user, say X, do a schema switch by following (assume it has been
set up to allow access the schema TEST in question 1):
db2> set schema TEST
Does it mean user X is now has complete access to everything of the schema
just like the owner/creater ? Or, you still need to have individual grants
on each object ?
Thanks
Tom
"Serge Rielau" <sr*****@ca.ibm.com> wrote in message
news:3c*************@individual.net...
cmc wrote: I need some clarification to help me understand the DB2 strucure more.
The questions are about "implicit schema"
1. This is a very interest concpet that DB2 let every user to create
new schema (as this is part of the PUBLIC group privilege - if I am not
wrong). From a practical stand point, what is the application of such concept.
DB2 gives you essentially two options. One option is that you want to
control schemas tightly. In this case you REVOKE IMPLICIT_SCHEMA on the
database from PUBLIC.
If you don't want to control tighly, then leave it as is.
I woudl think that both options have value depending on the environment
(e.g. development vs production or the size of the shop).
Why the default is to grant IMPLICIT_SCHEMA to PUBLIC after database
creation I can only guess. Often such defaults are borne through legacy
(perhaps coming from SQL/DS or DB2 for zOS). Given that there is a
switch folks rarely bother about it.
2. Suprisingly, if the schema is an implicitly created, everyone else
can create objects in it too. What is the practical use of this feature ?
I would tend to think it should be only used by the owner (also not sure
why implicit schema is owned by SYSIBM).
This is the continuation of the default in the first point. If schemata
can be created ad-hoc without much thinking, then why bother to suddenly
control the usage.
Essentially the default is that schemata are just public "directories".
It is the content that needs protecting.
Again, as soon as IMPLCITIC_SCHEMA (as teh master switch) is revoked
this behavior goes away and DB2 ends up with a strict policy of schema
usage.
3. Can we set up some database parameter such that by default only the
owner have a FULL access to the schema ?
REVOKE IMPLICIT_SCHEMA ON <DB> FROM PUBLIC :-)
As an aside: It is important to note that USER and SCHEMA are
orthogonal. E.g. the migration toolkit generates schemata such as ORA8
or SQL7 but there is normally is no ORA8 or SQL7 user on the system.
Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab