check result of REVOKE!

dr_te_z · #1 (**permalink**) 06-04-10, 03:17

Wow, I did not know that:
When you grant DBADM rights to a user and REVOKE that later on all kind of priviliger still exist and have to be REVOKED as well. Here is the result (db2look -d sample -xd) of the "leftovers" after a grant & revoke of user "dick".

Code:

GRANT CREATETAB 	ON DATABASE  TO USER "DICK    " ;
GRANT BINDADD 		ON DATABASE  TO USER "DICK    " ;
GRANT CONNECT 		ON DATABASE  TO USER "DICK    " ;
GRANT CREATE_NOT_FENCED ON DATABASE  TO USER "DICK    " ;
GRANT IMPLICIT_SCHEMA 	ON DATABASE  TO USER "DICK    " ;
GRANT LOAD 		ON DATABASE  TO USER "DICK    " ;
GRANT QUIESCE_CONNECT 	ON DATABASE  TO USER "DICK    " ;

This is not a bug, its documented behaviour DB2 Database for Linux, UNIX, and Windows but you should be aware! So run that db2look report from time-to-time an check for things from which you thought you took care of that....

Cougar8000 · #2 (**permalink**) 06-04-10, 09:18

Yeap, many people also ignore the fact, or simply do not know, that when they create a new SCHEMA using a CREATE TABLE in a new schema. It gives all the other users ability to create objects in that schema as well.

Thus, you should always define a new schema prior to building objects in it.

Internet Services

Web Development

Digital Marketing

Consumer Tech