Control Center Operations Guide for VSE

Functions

ADD a Group

Lets you create both User and Application Groups. The data created will be stored in the USER_GROUP_TAB and APPL_GROUP_TAB tables respectively.

Deletes a group entry from the applicable tables. In addition, if any privileges have been granted to a User Group which is being dropped, all privileges will be revoked from all users in that group. If an Application Group is dropped, all privileges that were granted on that group will be revoked from all users who were granted those privileges. There are two exceptions to this rule:

When dropping a User Group to which some group authorizations have been made, a check is made before revoking each user's privileges to determine if the user has been granted the same privileges through another group. If they do belong to a User Group with the same privileges, the users will not lose their privileges.
When dropping an Application Group that has had privileges granted on it, a check is made before revoking the privileges from each user to whom they were granted. If the privileges on the object have been granted to that user through another Application Group, the users will not lose their privileges.

Manage Group Objects and Users

Permits the DBA to populate a group with user IDs (in the case of User Groups) or, tables and views, or packages (in the case of Application Groups). Application Groups are defined as either a table group (consisting of tables and views only) or a package group (consisting of package names only).

A user can belong to more than one User Group. An object can belong to more than one Application Group. Each group type must have at least one member.

When you add an object to an Application Group, any privileges of existing User Groups will be GRANTED on the newly added object to all users in the User Groups authorized to that Application Group. When an object is dropped from an Application Group, all privileges to that object will be REVOKED for all users unless the user is a member of another group with similar privileges. (See the exceptions in DROP a Group.)

When you add a user to a User Group, the user is granted all authorities that the group currently holds. When you drop a user from a group, the user loses all authorities which the group has unless the user is a member of another group with the same authorities. (See exceptions in DROP a Group.)

Manage Privileges

Lets you grant and revoke privileges to User Groups on individual database objects or on Application Groups (that is, on all objects defined in the group). You cannot grant column update privileges; however, you can create a view with the column updates and then grant update privilege on the view.

Use the Authorizations Menu to enter an individual object or a group of objects on which you want to grant or revoke privileges. An individual object is identified by its owner and object name. A group object is identified by its Application Group name. You use the SQLMSTR connect ID authorizations.

For example, in the SYSTEM.SYSTABAUTH table, SQLMSTR is always the grantor for group authorizations. An extra grant is done for the User Group name to facilitate the implementation of the tool. If you give SELECT privilege to User Group UGROUP1 on Application Group AGROUP1, the Group Authorization tool generates one extra GRANT SELECT to UGROUP1 on each object in AGROUP1. Likewise, when you use the REVOKE function, the SELECT privilege is revoked from the User Group.

LIST Functions

The Group Authorization tool provides the following on-line reports:

All User Groups
All Application Groups
All Users/Objects within a specific group
All Application Groups on which a given User Group has been granted privileges, and what those privileges are
All User Groups to which privileges have been granted on a given Application Group, and what those privileges are

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]