Privileges for using ArcGIS with a Db2 database—ArcGIS Pro

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.

As an IBM Db2 database administrator, you create groups based on what users need to do in the database, grant privileges to the groups, and add the appropriate users to each group. This page lists the minimum required privileges for common types of users for which you would create groups: data viewers, data editors, and data creators.

These privileges apply to using ArcGIS with a Db2 database. If you need to know the privileges required to use a geodatabase in Db2, see Privileges for geodatabases in Db2.

Db2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus the USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from the PUBLIC group.

If you revoke any of these privileges from the PUBLIC group, grant them to individual users or groups. For example, if you revoke CONNECT from PUBLIC, grant CONNECT to specific groups so that group members can connect to the database. Similarly, if you revoke SELECT on the system catalog views or tables from PUBLIC, you must grant individual users or groups SELECT on the following to allow users to connect:

SYSIBM.SYSDUMMY1 (catalog view)
SYSCAT.ROLEAUTH
SYSCAT.DBAUTH
SYSCAT.TABAUTH

Privileges for Db2
Type of user	Required privileges	Purpose
Data viewer	CONNECT to the database SELECT on SYSIBM.SYSDUMMY1, SYSCAT.ROLEAUTH, SYSCAT.DBAUTH, and SYSCAT.TABAUTH	These privileges allow the user to connect to the database.
Data viewer	SELECT on other users' tables	Data viewers must have the SELECT privilege on specific tables you want them to query.
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges.	INSERT, UPDATE, DELETE on other users' tables CREATEIN, ALTERIN, and DROPIN for the necessary schema CONTROL, ALTER, DELETE, INSERT, and UPDATE REFERENCES on SYSIBM.SYSDUMMY1	These privileges allow editors to edit data owned by other users. You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you can create multiple editor groups and grant the appropriate privileges to each. For example, you can have a full_edit group that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit.
Data creator Data creators require the same privileges as data viewers, plus these additional privileges.	CREATETAB in database CONTROL on database objects	These privileges allow data creators to create and own tables and feature classes in the database.

*To edit data, publish editable web feature layers that reference the data in your Db2 database.

Feedback on this topic?