Row permission

A row permission is a database object that describes a specific row access control rule for a table. In the form of an SQL search condition, the rule specifies the conditions under which a user, group, or role can access the rows of data in the table.

Stored in the system catalog, row permissions can be created on all base tables except materialized query tables, and they are maintained on an individual basis. The definition of each row permission may reference the user, group, or role in the search condition.

If multiple row permissions are defined for a table and when row access control is activated, the search condition in each row permission is connected by the logical OR operator to form the row access control search condition. This row access control search condition is applied whenever the table is accessed. It acts as a filter to the table before any other user-specified operations, such as predicates and ordering, are processed. It also acts like the WITH CHECK OPTION clause of a view to ensure that a row to be inserted or updated conforms to the definitions of the row permissions in an INSERT, UPDATE, or MERGE statement.

Only an authorization ID or role with the SECADM or SYSADM authority can manage row permissions. If the SEPARATE_SECURITY system parameter on panel DSNTIPP1 is set to YES during installation or migration, you must have the SECADM authority to create, alter, or drop row permissions. If SEPARATE_SECURITY is set to NO, you must have the SECADM or SYSADM authority.