Privileges for using ArcGIS with a Db2 database

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.

As an IBM Db2 database administrator, you create groups based on what people need to do in the database, grant privileges to the groups, and add the appropriate users to each group. The tables in this topic list the minimum required privileges for common types of users for which you would create groups: data viewers, data editors, and data creators.

Note that these privileges apply to using ArcGIS with a Db2 database. If you need to know the privileges required to use a geodatabase in Db2, see Privileges for geodatabases in Db2.

Privileges

Db2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus the USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from PUBLIC.

If you revoke any of these privileges from PUBLIC, grant them to individual users or groups. For example, if you revoke CONNECT from PUBLIC, grant CONNECT to specific groups so members can connect to the database. Similarly, if you revoke SELECT on the system catalog views or tables from PUBLIC, you must grant individual users or groups SELECT on the following to allow users to connect.

  • SYSIBM.SYSDUMMY1 (catalog view)
  • SYSCAT.ROLEAUTH
  • SYSCAT.DBAUTH
  • SYSCAT.TABAUTH

Type of userRequired privilegesPurpose

Data viewer

  • CONNECT to database
  • SELECT on SYSIBM.SYSDUMMY1, SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH

These privileges allow the user to connect to the database.

SELECT on other users' tables

Data viewers need select privileges on specific tables you want them to see and query.

Data editor*

Data editors require the same privileges as data viewers, plus these additional privileges.

  • INSERT, UPDATE, DELETE on other users' tables
  • CREATEIN, ALTERIN, and DROPIN for the necessary schema
  • CONTROL, ALTER, DELETE, INSERT, and UPDATE REFERENCES on SYSIBM.SYSDUMMY1

These privileges allow editors to edit data owned by other users.

You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple editor groups and grant the appropriate privileges to each. For example, you might have a full_edit group that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit.

Data creator

Data creators require the same privileges as data viewers, plus these additional privileges.

  • CREATETAB in database
  • CONTROL on database objects

These privileges allow data creators to create and own tables and feature classes in the database.

Privileges for Db2

*To edit data, publish editable feature service layers that reference the data in your Db2 database.


In this topic
  1. Privileges