KFAA30556-E
The operation cannot be executed because the authorization identifier "bb....bb" specified in aa....aa is cc....cc. (M+J+O)
The aa....aa operation could not be executed. <SQLSTATE: 42K06>
- aa....aa: Operation whose execution was attempted
-
-
GRANT: Granting of a privilege by a GRANT statement
-
GRANT AUDIT ADMIN: Granting the audit admin privilege by a GRANT statement
-
GRANT AUDIT VIEWER: Granting the audit viewer privilege by a GRANT statement
-
GRANT CRYPTO ADMIN: Granting the CRYPTO ADMIN privilege by a GRANT statement
-
REVOKE: Revocation of a privilege by a REVOKE statement
-
REVOKE CONNECT: Revocation of a CONNECT privilege by a REVOKE statement
-
REVOKE CRYPTO ADMIN: Revocation of a CRYPTO ADMIN privilege by a REVOKE statement
-
REVOKE DBA: Revocation of a DBA privilege by a REVOKE statement
-
REVOKE SCHEMA: Revocation of a schema definition privilege by a REVOKE statement
-
- bb....bb:
-
Authorization identifier specified in the SQL statement
- cc....cc:
-
Cause of the error
- S:
-
Ignores this SQL statement. Alternatively, the system invalidates this transaction.
- Action:
-
The following explains how to handle this:
-
If the owner of the target schema object is displayed for cc....cc
The authorization identifier whose privilege is to be granted or revoked is the authorization identifier of the schema object owner. Check if the specified authorization identifier and the specified schema object are correct.
-
If connected to the HADB server is displayed for cc....cc
The CONNECT privileges cannot be revoked for an authorization identifier that is currently connected to the HADB server. Re-execute the REVOKE statement after the target authorization identifier has been disconnected from the HADB server.
If you want to revoke the CONNECT privilege immediately, use the adbcancel command to forcibly disconnect the target authorization identifier from the HADB server.
-
If a special keyword that can be specified only by the owner of the target schema object is displayed for cc....cc
To execute the GRANT statement with PUBLIC specified, use the authorization identifier of the owner of the target schema object for access privileges.
-
If a user with privileges on which the privileges you are trying to grant depend is displayed for cc....cc
An attempt is made to grant access privileges to an HADB user who cannot be granted access privileges. You cannot grant access privileges to the following HADB users:
-
An HADB user who has granted himself or herself the target access privilege
-
An HADB user on the line of users who granted the target access privilege to the above HADB user
-
Yourself
-
-
If the auditor is displayed for cc....cc
You cannot revoke the CONNECT privilege and schema definition privilege of an HADB user who has the audit privilege. Revoke the audit privilege, and then revoke the CONNECT privilege or schema definition privilege. An HADB user who has the audit admin privilege must revoke the audit privilege.
-
If a user who has the CRYPTO ADMIN privilege is displayed for cc....cc
You cannot revoke the CONNECT privilege of an HADB user who has the CRYPTO ADMIN privilege. Revoke the CRYPTO ADMIN privilege, and then revoke the CONNECT privilege. An HADB user who has the DBA privilege must revoke the CRYPTO ADMIN privilege. An HADB user having the CRYPTO ADMIN privilege can revoke their own CRYPTO ADMIN privilege.
-
If the last user who has the CRYPTO ADMIN privilege is displayed for cc....cc
At least one HADB user with CRYPTO ADMIN privilege is required. Therefore, when there is only one HADB user with CRYPTO ADMIN privilege, it is not possible to revoke CRYPTO ADMIN privilege from that HADB user. After granting another HADB user CRYPTO ADMIN privilege, re-execute the REVOKE statement.
-
If a user who does not have the CONNECT privilege is displayed for cc....cc
You cannot grant the CRYPTO ADMIN privilege to an HADB user who has the CONNECT privilege. Therefore, when granting CRYPTO ADMIN privilege to an HADB user who does not have CONNECT privilege, also grant them CONNECT privilege at the same time. Or, grant the HADB user who has CONNECT authority CRYPTO ADMIN privilege.
-
If a user who uses PAM or Keycloak authentication is displayed for cc....cc
An attempt is made to grant privileges that cannot be granted to an HADB user that uses PAM authentication or Keycloak authentication. Specify the authorization identifier of the HADB user who is using database authentication and then re-execute the GRANT statement.
-
If the last user who has both DBA and CONNECT privileges and who uses database authentication is displayed for cc....cc
At least one HADB user with DBA and CONNECT privileges is required, using database authentication as the user authentication method. Therefore, when there is only one such HADB user, it is not possible to revoke privileges from that HADB user.
Re-execute the REVOKE statement after confirming that database authentication is used for the user authentication method and that there are two or more HADB users with DBA and CONNECT privileges.
-
If the owner of the foreign servers is displayed for cc....cc
The REVOKE statement resulted in an error because the HADB user, who attempted to revoke DBA privileges, owns foreign servers. Revoking DBA privileges from HADB users who own external servers will have the following impacts.
-
The foreign servers owned by the user will be deleted.
-
Foreign tables that use the foreign server being deleted will be deleted.
-
View tables that depend on the deleted foreign tables will be deleted or invalidated.
If there are no problems, execute the REVOKE statement with CASCADE specified for the drop behavior or without specifying the drop behavior. For details on specifying the drop behavior, see REVOKE (revoke privileges) in the manual HADB SQL Reference.
-
- Note
-
Even if multiple authorization identifiers cause an error, only the error message for one of them will be output.
-