Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As an IBM Db2 database administrator, you create groups based on what people need to do in the database, grant privileges to the groups, and add the appropriate users to each group. The tables in this topic list the minimum required privileges for common types of users for which you would create groups: data viewers, data editors, and data creators.
Note that these privileges apply to using ArcGIS with a Db2 database. If you need to know the privileges required to use a geodatabase in Db2, see Privileges for geodatabases in Db2.
Privileges
Db2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from PUBLIC.
If you revoke any of these privileges from PUBLIC, grant them to individual users or groups. For example, if you revoke CONNECT from PUBLIC, grant CONNECT to specific groups so members can connect to the database. Similarly, if you revoke SELECT on the system catalog views or tables from PUBLIC, you must grant individual users or groups SELECT on the following to allow users to connect.
- SYSIBM.SYSDUMMY1 (catalog view)
- SYSCAT.ROLEAUTH
- SYSCAT.DBAUTH
- SYSCAT.TABAUTH
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer |
| These privileges allow the user to connect to the database. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow editors to edit data owned by other users. You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple editor groups and grant the appropriate privileges to each. For example, you might have a full_edit group that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit. |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create and own tables and feature classes in the database. |
*To edit data, publish editable feature service layers that reference the data in your Db2 database.