3.23.3 Granting role usage privileges
Grant role usage privileges to HADB users.
- Note
-
-
If role usage privileges are granted to HADB users, the access privileges granted to the role are also granted to the HADB users.
-
Role usage privileges cannot be granted to a role.
-
- Organization of this subsection
(1) Specification format
GRANT-statement ::= GRANT role-name [,role-name]...
TO authorization-identifier [,authorization-identifier]...
(2) Explanation of specification format
- ● role-name [,role-name]...
-
Specifies the role names. Role usage privileges for the specified roles are granted to the HADB user.
Note the following rules:
-
A maximum of 128 role names can be specified.
-
For rules on specifying role names, see 6.1.4 Specifying names.
-
- ● TO authorization-identifier [,authorization-identifier]...
-
Specifies the authorization identifier to grant role usage privileges to.
Note the following rules:
-
Specify the authorization identifier of an HADB user (user identifier) as the authorization identifier.
-
A maximum of 128 authorization identifiers can be specified.
-
For rules on specifying authorization identifiers, see 6.1.4 Specifying names.
-
(3) Privileges required at execution
To execute a GRANT statement to grant role usage privileges, DBA privileges and CONNECT privileges are required.
(4) Rules
-
You can grant role usage privileges for roles you have defined. You cannot grant role usage privileges for roles defined by other HADB users.
-
You cannot grant yourself role usage privileges for roles you have defined.
-
The role usage privilege of a role dedicated to the automatic role-mapping function defined with the MAPPING WITH KEYCLOAK option cannot be granted by an HADB user to other HADB users by executing the GRANT statement.
-
If multiple role names or multiple authorization identifiers are specified in the GRANT statement and an error occurs during its execution, the granting of privileges to all authorization identifiers is invalidated. Role usage privileges will not be granted to only some of the authorization identifiers.
-
If the granting of role usage privileges changes the access privileges of an HADB user who is currently connected to the HADB server, the changed access privileges take effect at the following timing:
-
The next time the HADB user executes a transaction
-
(5) Examples
- Example
-
Grant the role usage privileges of roles ROLE01 and ROLE02 to HADB users ADBUSER01 and ADBUSER02.
GRANT "ROLE01","ROLE02" TO "ADBUSER01","ADBUSER02"