3.16.1 Granting user privileges, schema operation privileges, and audit privileges
Grant the following privileges to an HADB user.
-
User privileges
-
DBA privilege
-
CONNECT privilege
-
-
Schema operation privileges
-
Schema definition privilege
-
-
Audit privileges
-
Audit admin privilege
-
Audit viewer privilege
-
- Organization of this subsection
(1) Specification format
GRANT-statement::=GRANT privilege[,privilege]... TO authorization-identifier[,authorization-identifier]...
privilege::={user-privilege|schema-operation-privilege|audit-privilege}
user-privilege::={DBA|CONNECT}
schema-operation-privilege::=SCHEMA
audit-privilege::={AUDIT ADMIN|AUDIT VIEWER}
(2) Explanation of specification format
![[Figure]](GRAPHICS/F0000049.GIF)
privilege[,privilege]...-
privilege::={user-privilege|schema-operation-privilege|audit-privilege}Specify the privilege to be granted to an HADB user. You cannot specify the same privilege more than once.
user-privilege ::= {DBA | CONNECT}Specify this to grant user privileges to an HADB user.
-
DBA
Specify this to grant the DBA privilege to the HADB user.
-
CONNECT
Specify this to grant the CONNECT privilege to the HADB user.
schema-operation-privilege ::= SCHEMA
Specify this to grant schema operation privileges to an HADB user.
-
SCHEMA
Specify this to grant the schema definition privilege to the HADB user.
audit-privilege::={AUDIT ADMIN|AUDIT VIEWER}Specify this to grant an audit privilege (audit admin privilege or audit viewer privilege) to an HADB user.
-
AUDIT ADMIN
Specify this to grant the audit admin privilege to an HADB user.
-
AUDIT VIEWER
Specify this to grant the audit viewer privilege to an HADB user.
-
- TO authorization-identifier[,authorization-identifier]...
-
Specifies the authorization identifiers of the HADB users who are to be granted privileges. A maximum of 128 authorization identifiers can be specified.
Note the following rules for specifying an authorization identifier:
-
If you want to use lowercase letters, enclose the authorization identifier in double quotation marks ("). When not enclosed in double quotation marks, lowercase letters will be treated as uppercase.
Example: GRANT DBA TO adbuser01
In this case, the authorization identifier is treated as ADBUSER01.
-
Because an authorization identifier is specified as a name, we recommend that you enclose it in double quotation marks (").
For details about the rules for specifying an authorization identifier, see 6.1.4 Specifying names.
-
(3) Privileges required at execution
To execute a GRANT statement that grants user privileges, schema operation privileges, or audit privileges, the DBA privilege and the CONNECT privilege are required.
(4) Rules
-
An HADB user with the DBA privilege can grant the following privileges to other HADB users:
-
User privileges
-
Schema operation privileges
-
Audit privileges
However, the audit admin privilege cannot be granted to HADB users who have the DBA privilege.
Note that an HADB user can also grant a user privilege, a schema operation privilege, and the audit viewer privilege to himself or herself (the HADB user whose authorization identifier is connected to the HADB server).
- Important
-
An HADB user cannot have both the DBA privilege and the audit admin privilege. Therefore, it is impossible to grant the audit admin privilege to HADB users who have the DBA privilege. Similarly, it is also impossible to grant the DBA privilege to HADB users who have the audit admin privilege.
-
-
If an error occurs in the execution of the GRANT statement when multiple authorization identifiers are specified, the operation is cancelled for all of the targeted HADB users.
(5) Examples
- Example 1
-
Grant the DBA privilege, CONNECT privilege, and schema definition privilege to HADB user ADBUSER01.
GRANT DBA,CONNECT,SCHEMA TO "ADBUSER01"
- Example 2
-
Grant the CONNECT privilege and schema definition privilege to HADB users ADBUSER02 and ADBUSER03.
GRANT CONNECT,SCHEMA TO "ADBUSER02","ADBUSER03"
- Example 3
-
Grant the CONNECT privilege and the audit admin privilege to HADB user ADBAUDITADMIN.
GRANT CONNECT,AUDIT ADMIN TO "ADBAUDITADMIN"
- Example 4
-
Grant the CONNECT privilege and the audit viewer privilege to HADB user ADBAUDITOR.
GRANT CONNECT,AUDIT VIEWER TO "ADBAUDITOR"