0

UPDATED question: The core of my problem is: The stored procedure I (User1) created is not able to select from the some specific table (table1 created by another user (User2)) due to: 

CREATE OR REPLACE PROCEDURE TEST_SCHEMA.TEST_PROCEDURE(OUT r_count INTEGER)
LANGUAGE SQL
BEGIN
       SET r_count = (SELECT COUNT(*) FROM TEST_SCHEMA.TABLE1);
END

OK. No rows were affected SQLWarning: Code: 20480 SQL State: 0168Y --- The newly defined object "TEST_SCHEMA.TEST_PROCEDURE" is marked as invalid because it references an object "TEST_SCHEMA.TABLE1" which is not defined or is invalid, or the definer does not have privilege to access it.. SQLCODE=20480, SQLSTATE=0168Y, DRIVER=4.22.29

However, when I select from table1 in a normal query window there is no problem, hence I thought something was wrong about the security option on the stored procedure

SELECT COUNT(*) FROM TEST_SCHEMA.TABLE1

Table and stored procedure names are fully qualified. The stored procedure is created and executed by user1. The privilege given to the user1, to select from table1 , is a group privilege.

Improve this question
4
  • You get the error because Db2-LUW at current versions has no such syntax (as security definer) for creating SQL procedures. The AUTHID that is running the create or replace procedure will be used for determining security for static SQL inside that procedure. Maybe clarify what you mean?
    – mao
    Commented Mar 11, 2019 at 9:47
  • Thanks for clarifying that db2-luw currently not uses the 'security definer' syntax. The core of my problem is: The stored procedure I created is not able to select from the some specific table due to "..., or the definer does not have privilege to access it.." However, when I select from the specific table in a normal query window there is no problem, hence I thought something was wrong about the security option on the stored procedure. Is the problem understandable?
    – Emil Møller Bartels
    Commented Mar 11, 2019 at 10:10
  • Maybe edit your question to give a minimal complete verifiable example. We cannot tell if the stored-procedure owner (who run the create) is different from the user that performs the CALL, whether static or dynamic SQL is in use, whether you are using ROLES or groups or both etc.
    – mao
    Commented Mar 11, 2019 at 10:21
  • The updated text requires more details about the SP. How do you access the table? Is it fully qualified and the same table?
    – data_henrik
    Commented Mar 11, 2019 at 10:31

1 Answer 1

Reset to default
1

The procedure creator must have the corresponding privilege on statically referenced table either directly or via roles.

CREATE PROCEDURE (SQL) statement:

Authorization
The privileges held by the authorization ID of the statement must include at least one of the following authorities:

  • If the implicit or explicit schema name of the procedure does not exist, IMPLICIT_SCHEMA authority on the database.
  • If the schema name of the procedure refers to an existing schema, CREATEIN privilege on the schema.
  • DBADM authority

The privileges held by the authorization ID of the statement must also include all of the privileges necessary to invoke the SQL statements that are specified in the procedure body.

To replace an existing procedure, the authorization ID of the statement must be the owner of the existing procedure (SQLSTATE 42501).

Group privileges are not considered for any table or view specified in the CREATE PROCEDURE (SQL) statement.

Improve this answer
8
  • Thank you for the answer, that explains the problem. Do you know if there is a solution to the problem. Fx would it help to transfer ownership of the procedure and corresponding package, to a user that has the privileges as a user, and not via group privileges?
    – Emil Møller Bartels
    Commented Mar 11, 2019 at 12:08
  • Consider using ROLEs, if you don't want to explicitly grant at user level.
    – mao
    Commented Mar 11, 2019 at 12:11
  • @EmilMøllerBartels transfer ownership of procedure-designator should help. As stated at the link: Transferring ownership of an SQL procedure that has an associated package also implicitly transfers ownership of the package to the new owner.
    – Mark Barinstein
    Commented Mar 11, 2019 at 13:56
  • Yes, TRANSFER OWNERSHIP did the job just fine. Thank you for quick and useful answers, @MarkBarinstein and @mao.
    – Emil Møller Bartels
    Commented Mar 11, 2019 at 14:15
  • a quick bonus question.. If I call the stored procedure BEFORE I transfer ownership to USER2 (who has the correct privileges), and the procedure of course fails, then it still fails after I have transferred ownership. However, if I wait and call the procedure after I transferred ownership it does not fail..
    – Emil Møller Bartels
    Commented Mar 19, 2019 at 9:37

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.