How Database Privileges for a Session Are Determined
The authorization hierarchy (see
How Privileges for a Session Are Determined) is used to determine the session’s database privileges. The hierarchy includes the privileges granted to the authorization identifiers in effect for the session, and the internal defaults.
When a user begins a session:
• The privileges in effect for that session are derived from the privileges defined for the user identifier and for public. For example, while you might have the privilege to select all the tables in the database, you might only have the update permission on a limited number of those tables. If the user includes the ‑G or ‑R flag, or both, on the command line when beginning the session, then the privileges for the specified group or role identifier are also in effect for the session.
• If the user has a default group identifier defined for the user ID, when the user begins a session without specifying a group identifier, the default group identifier is automatically applied to the session. A default group identifier can be specified for a user when a user object is created or modified.