Considerations For Grant Schema - HP Neoview SQL Reference Manual

TO {grantee [,grantee]... }
specifies one or more roles to whom you grant privileges.
grantee is authid
authid specifies an authorization ID to whom you grant privileges. Authorization IDs
identify roles during the processing of SQL statements. The authorization ID must be a valid
role name enclosed in double quotes. authid is not case-sensitive.
GRANT SCHEMA allows two special authorization IDs called PUBLIC and SYSTEM.
• PUBLIC grants the privilege to all present and future authorization IDs.
• SYSTEM specifies the implicit grantor of privileges to the creator of objects. You cannot
specify SYSTEM as an authid in a GRANT SCHEMA statement.
WITH GRANT OPTION
specifies that roles to whom privileges are granted have the right to grant the same privilege
to other roles.

Considerations for GRANT SCHEMA

Authorization and Availability Requirements
To grant a privilege on a schema, you must have both that privilege and the right to grant that
privilege. That is, the privilege must have been issued to you WITH GRANT OPTION and not
revoked. If you lack authority to grant one or more of the specific privileges, the system returns
a warning (and does grant any of the specified privileges that you do have authority to grant).
If you have none of the specified privileges WITH GRANT OPTION, the system returns an error.
Create and Alter Options
Even though the grantee has been given the CREATE or ALTER privilege, or variant of these
privileges, the CREATE or ALTER statement might not succeed. If a subsequent request references
an object that the grantee has insufficient privilege for, the operation fails. For example, if the
CREATE_VIEW privilege was granted to an authid and a CREATE VIEW statement was requested
that references a table that the authid has insufficient privileges on, the CREATE VIEW fails. For
example, as role.dba:
CREATE SCHEMA sales;
CREATE TABLE sales.odetail ...
GRANT CREATE_VIEW ON SCHEMA sales TO role.payroll;
If role.payroll tries to create a view, it fails with insufficient privilege.
If role.dba:
GRANT SELECT ON TABLE sales.detail TO "role.payroll"
then role.payroll is able to create the view.
Schema Privileges and Synonyms
If you have a synonym that references an object in another schema, you must have the correct
schema privileges on the schema where the referenced object resides. For example:
role.user1:
CREATE TABLE schema1.abc (col1 char not null primary key);
CREATE SYNONYM schema2.sabc FOR schema1.abc;
GRANT SELECT ON schema schema2 TO "role_user2";
role.user2:
SELECT * FROM mytestcat.schema.sabc;
The SELECT fails because role.user2 does not have select privileges on schema1.abc even though
role.user2 has select privileges on schema2.sabc.
142 SQL Statements