473,385 Members | 2,029 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > db2 database > questions > able to alter or drop a table but cannot create the table, when no permissions are given to that user

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Able to alter or drop a table but cannot create the table, when no permissions are given to that user

Hi,

I have a user UCLDEV1 which is a part of staff and a
group(db2schemagrp1) to which i have not given any permissions.

The authorizations of that user are shown as

db2 =get authorizations

Administrative Authorizations for Current User

Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL_ROUTINE authority = NO
Direct SYSMON authority = NO

Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL_ROUTINE authority = NO
Indirect SYSMON authority = NO

db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504

What could be the reason for it?

Thanks a lot.

Rahul

Sep 4 '07 #1
3 6647
Rahul B wrote:
Hi,

I have a user UCLDEV1 which is a part of staff and a
group(db2schemagrp1) to which i have not given any permissions.

The authorizations of that user are shown as

db2 =get authorizations

Administrative Authorizations for Current User

Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL_ROUTINE authority = NO
Direct SYSMON authority = NO

Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL_ROUTINE authority = NO
Indirect SYSMON authority = NO

db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504

What could be the reason for it?
Could it be UCLDEV1 was the owner of the altered/dropped table?
The user could have either created the table before the create privilege
was taken away, or the user could have received ownership through
TRANSFER OWNER.

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Sep 4 '07 #2
On Sep 4, 5:57 pm, Serge Rielau <srie...@ca.ibm.comwrote:
Rahul B wrote:
Hi,
I have a user UCLDEV1 which is a part of staff and a
group(db2schemagrp1) to which i have not given any permissions.
The authorizations of that user are shown as
db2 =get authorizations
Administrative Authorizations for Current User
Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = NO
Direct CREATETAB authority = NO
Direct BINDADD authority = NO
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = NO
Direct IMPLICIT_SCHEMA authority = NO
Direct LOAD authority = NO
Direct QUIESCE_CONNECT authority = NO
Direct CREATE_EXTERNAL_ROUTINE authority = NO
Direct SYSMON authority = NO
Indirect SYSADM authority = NO
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = YES
Indirect CONNECT authority = YES
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL_ROUTINE authority = NO
Indirect SYSMON authority = NO
db2 =create table test15(num1 INTEGER)
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0552N "UCLDEV1" does not have the privilege to perform operation
"CREATE
TABLE". SQLSTATE=42502
db2 =alter table test12 add num3 integer
DB20000I The SQL command completed successfully.
db2 =drop table test12
DB20000I The SQL command completed successfully.
db2 =>
However, as the above commands show, i am not able to create any table
with that user, however, i can alter the table or drop the table.
The following command from an admin user gives
/home/db2inst1>"db2 revoke alterin on schema ucldev1 from ucldev1"
DB21034E The command was processed as an SQL statement because it was
not a
valid Command Line Processor command. During SQL processing it
returned:
SQL0556N An attempt to revoke a privilege, security label, or
exemption from
"UCLDEV1" was denied because "UCLDEV1" does not hold this privilege,
security
label, or exemption. SQLSTATE=42504
What could be the reason for it?

Could it be UCLDEV1 was the owner of the altered/dropped table?
The user could have either created the table before the create privilege
was taken away, or the user could have received ownership through
TRANSFER OWNER.

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Exactly Serge,

UCLDEV1 was the owner of the tables when i created.
So, i'll need to do a "Transfer Ownership" command.
A few more things.

1. If i use the TRANSFER OWNERSHIP Statement, what are the possible
problems that could come up(I am asking it to find out whether or not
some tables will go a pending state or any other problems that could
come, so that i can beforehand find out how much(if any) work i'll
need to be done after the transfer ownership)

2. Currently, ucldev1 cannot do a select, insert etc on tables created
by the admin user. So, whenever i create a table in UCLDEV1 through
admin, i need to give select, insert, update privs to UCLDEV1. Also,
will the other database objects like functions, procedures also
require some permissions to be accessed/called.
Is there some way that i can give the DML permissions of all objects
in schema UCLDEV1 to UCLDEV1.

3. I would also like to find out if it is possible to track DDL
statements on schema UCLDEV1 by any user.
I thought there could be some "BEFORE ALTER IN ON SCHEMA" clause on
trigger.
P.S. I am quite reluctant to use the TRANSFER OWNERSHIP Statement
without a prior knowledge of what problems could come up because i
could end up making a number of people wait while i try to sort out
the problems.

Thanks a lot.

Rahul
Sep 4 '07 #3
Rahul B wrote:
1. If i use the TRANSFER OWNERSHIP Statement, what are the possible
problems that could come up(I am asking it to find out whether or not
some tables will go a pending state or any other problems that could
come, so that i can beforehand find out how much(if any) work i'll
need to be done after the transfer ownership)
For tables there are very few things that could go wrong.
Essentially the new owner has to be able to "handle" the new object.
In case of a table I'd think the owner needs to have access to any UDF
used in the tables check constraints or generated columns. RI
constraints would be another topic.

Things get more interesting when you transfer the ownership of routines
or views since they typically reference all sorts of other objects to
which the new owner needs access.
2. Currently, ucldev1 cannot do a select, insert etc on tables created
by the admin user. So, whenever i create a table in UCLDEV1 through
admin, i need to give select, insert, update privs to UCLDEV1. Also,
will the other database objects like functions, procedures also
require some permissions to be accessed/called.
Is there some way that i can give the DML permissions of all objects
in schema UCLDEV1 to UCLDEV1.
I don't think so. What you can do is grant DML privileges to a group (or
role in DB2 Viper 2). As long as UCLDEV1 is part of the group or role it
can perform the actions.
I do wonder whether you may be able to take a different approach.
DB2 has a variation of the unix "su" command which allows an
administrator to do DDL on someone else's behalf.
Take a look at SET SESSION USER:
http://publib.boulder.ibm.com/infoce...c/r0011139.htm

I think (never tried myself) you will then find that the DEFINER of the
object will be the administrator, but the OWNER will be UCLDEV1.
3. I would also like to find out if it is possible to track DDL
statements on schema UCLDEV1 by any user.
I thought there could be some "BEFORE ALTER IN ON SCHEMA" clause on
trigger.
DB2 has auditing capabilities. These have been greatly improved in Db2
Viper 2. There are no DDL triggers.
P.S. I am quite reluctant to use the TRANSFER OWNERSHIP Statement
without a prior knowledge of what problems could come up because i
could end up making a number of people wait while i try to sort out
the problems.
Fair enough.

Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
Sep 4 '07 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
Alpha 4.1-Temporary Tables-Alter/Update
by: Peter Gorelczenko | last post by:
Good Morning, I'm running Alpha 4.1 on Linux. I'm new to MySql but familliar with othe= r=20 databases. I set up a user with "Create Temporary Tables" permissions. = That=20 user can create...
MySQL Database
1
Alter a primary key auto increment column?
by: Lannsjo | last post by:
I need to change my primary key column type from smallint to int. I have tried: ALTER TABLE livegroup MODIFY id INT UNSIGNED NOT NULL AUTO_INCREMENT; But get an error message certainly since my...
MySQL Database
10
ALTER TABLE <TABLE> DROP UNIQUE <INDNAME> doesn't recognize index name!
by: BuddhaBuddy | last post by:
Platform is DB2/NT 7.2.9 The table was created like this: CREATE TABLE MYTEST ( MYTESTOID bigint not null primary key, FK_OTHEROID bigint not null references other, FK_ANOTHEROID bigint not...
DB2 Database
3
Want to be able to create or view database diagrams
by: teedilo | last post by:
Our MS SQL (SQL Server 2000) DBA has database privileges locked down pretty tightly. We end users/developers do not have administrator privileges for most databases. That arrangement has worked...
Microsoft SQL Server
4
Cannot Alter Table being Published for Replication
by: Brian Wotherspoon | last post by:
Hi all, I'm using SQL Server 2000 SP3 to store data for real time transaction processing. I have set up replication to another server using a push subscription to give me immediate backup. ...
Microsoft SQL Server
7
How to ALTER a table using the ALTOBJ procedure
by: Serge Rielau | last post by:
Hi all, Following Ian's passionate postings on problems with ALTOBJ and the alter table wizard in the control center I'll try to explain how to use ALTOBJ with this thread. I'm not going to get...
DB2 Database
1
DB2 - XML and Spatial data in same column - can't alter table once created - PLEASE HELP
by: vasilip | last post by:
I'm testing out db2 for a project I'm starting that requires proper xml support and I can't seem to get both xml and spatial data to work well in the same table. Once having created a table...
DB2 Database
6
Default Table Owner using CREATE TABLE, INSERT, SELECT & DROP TABLE
by: Peter Nurse | last post by:
For reasons that are not relevant (though I explain them below *), I want, for all my users whatever privelige level, an SP which creates and inserts into a temporary table and then another SP...
Microsoft SQL Server
0
Re: ALTER proc vs IF EXISTS DROP/CREATE
by: Eric Isaacs | last post by:
Optional Create and Alter is nice because it fails, the original is still in place as are the original permissions. Drop and create is also valid in some cases if you want to clear/reset the...
Microsoft SQL Server
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!