Authorization Requirements

Unless you are a Security Administrator or the Super ID, to grant a privilege on an object or schema, you must have both that privilege and the right to grant that privilege. That is, the privilege must have been issued to you WITH GRANT OPTION and not revoked. If you lack authority to grant one or more of the specific privileges, the system returns a warning (and does perform the grant of any of the specified privileges that you do have authority to grant). If you have none of the specified privileges WITH GRANT OPTION, the system returns an error. The owner of an object or schema automatically holds all relevant privileges on that object or schema WITH GRANT OPTION. These inherent owner privileges are nonrevokable.

If you are a Security Administrator, then you are exempt from the above restriction and may grant a privilege without having that privilege. However, such grants may not be made to PUBLIC or a Security Administrator or using WITH GRANT OPTION. The grantor recorded for all grants by Security Administrators is the authorization ID of the Security Administrator executing the grant. This provides traceability back to the Security Administrator who granted a privilege. Security Administrators may hold an owner-derived WITH GRANT OPTION privilege, in which case they may grant that privilege like any other user (including to PUBLIC and using WITH GRANT OPTION). This latter type of grant is included in the hierarchy of owner-derived grants.

If you are the Super ID, then your grant privileges depend on the Security Administrator's Group. If the Security Administrator's Group is empty, then you may grant any privilege on any object. Such grants behave like a GRANT BY authid-grantor where the authid-grantor is the object owner.

If the Super ID is designated as a Security Administrator, then the Super ID has the same privileges as any other Security Administrator plus the ability to execute GRANT BY authid-grantor. In this case, if BY authid-grantor is omitted, then the implied grantor is the same as with any other Security Administrator grant, that is the implied grantor is the executing Security Administrator (the Super ID) instead of the object owner.

Authorization rules for GRANT and REVOKE of privileges at the schema level are same as those at the object level. If the Security Administrator's Group is not empty and the Super ID is not designated as a Security Administrator, the Super ID will have the same restrictions as any ordinary user with respect to the GRANT statement.