The following table illustrates how various GroupID and SecondaryID assignments can affect the naming of and access to database objects.
Primary AuthID | Secondary ID | Group Name | Creates Table...1 | Owner | Authorized Users |
---|---|---|---|---|---|
TECHPUBS | -- | -- | Created as a Primary AuthID. Privileges are assigned. Used as a SecondaryID for one or more Primary AuthIDs. | ||
-- | -- | WRITER | Created as a group. Privileges are assigned to the group. GroupIDs are assigned to Primary AuthIDs. | ||
ERIC | -- | -- | ERIC.TABLE1 | ERIC | ERIC |
DEBBIE | -- | -- | DEBBIE.TABLE1 | DEBBIE | DEBBIE |
DAVID | -- | WRITERS | DAVID.TABLE1 | DAVID | DAVID and, if access is granted to WRITERS, also ARLENE. |
ARLENE | -- | WRITERS | ARLENE.TABLE1 | ARLENE | ARLENE and, if access is granted to WRITERS, also DAVID. |
ROCHELLE | TECHPUBS | -- | TECHPUBS.TABLE1 | TECHPUBS | Users with TECHPUBS as SecondaryID (ROCHELLE, STEVE, PABLO, BRUCE) and, if access is granted to WRITERS, also DAVID, ARLENE. |
STEVE | TECHPUBS | -- | TECHPUBS.TABLE2 | TECHPUBS | Users with TECHPUBS as SecondaryID (ROCHELLE, STEVE, PABLO, BRUCE) and, if access is granted to WRITERS, also DAVID, ARLENE. |
PABLO | TECHPUBS | WRITERS (ignored)2 |
TECHPUBS.TABLE3 | TECHPUBS | Users with TECHPUBS as SecondaryID (ROCHELLE, STEVE, PABLO, BRUCE) |
BRUCE | TECHPUBS | WRITERS (ignored)2 |
TECHPUBS.TABLE4 | TECHPUBS | Users with TECHPUBS as SecondaryID (ROCHELLE, STEVE, PABLO, BRUCE) |
1All scenarios described here assume that the user does NOT specify an AuthID when creating the object and the user has NOT changed his Current SQLID.
2Pablo and Bruce do NOT have privileges defined for the group WRITERS because as soon as they log in, they both become TECHPUBS, and TECHPUBS is not assigned to the group WRITERS in this example.
As shown in the table above, the AuthID portion of the name assigned to a database object when it is created, and the users who have access to that object depend on how AuthIDs, GroupIDs, and SecondaryIDs are defined. The object naming and usage rules are as follows:
If user DAVID (who is in the WRITERS group) creates a table called STAFF in the location called BOOKS, the table's three-part name would be BOOKS.DAVID.STAFF. If user ARLENE (who is also assigned to the WRITERS group) attempts to create a table called STAFF, the table's three-part name would be BOOKS.ARLENE.STAFF. Since the three-part names of the two tables are unique, each user can have a table of the same one-part name within a location.
If user ROCHELLE (who has a SecondaryID of TECHPUBS) creates a table called STAFF in the location called BOOKS, the table's three-part name would be BOOKS.TECHPUBS.STAFF. If user STEVE (who also has TECHPUBS as his SecondaryID) attempts to create a table called STAFF, the table's three-part name would also be BOOKS.TECHPUBS.STAFF. This is not allowed.
Users ROCHELLE, STEVE, PABLO, and BRUCE all have all privileges on TECHPUBS.TABLE1, TECHPUBS.TABLE2, TECHPUBS.TABLE3, and TECHPUBS.TABLE4. GRANT and REVOKE commands for these users and tables will have no effect.
If an object has a different owner, then granting privileges to the SecondaryID will give those privileges to all users who have that SecondaryID as their Current SQLIDs.