IBM Db2 Dynamic Data Masking Administrator Required Privileges
IBM Db2 Dynamic Data Masking Administrator Required Privileges
The Dynamic Data Masking administrator must have privileges to access sensitive tables and columns.
Use the IBM Db2 Control Center to create a privileged database user, <DDM Admin>, that corresponds to an administrator user on your operating system or a standard user on your operating system.
If <DDM Admin> corresponds to an administrator user on your operating system, you do not need to grant the user additional privileges.
If <DDM Admin> corresponds to a standard user on your operating system, the user must have SYSMON authorization or higher. If you use the encrypted password option, you must also run the following commands:
GRANT SELECT ON SYSIBMADM.SNAPAPPL_INFO TO <DDM Admin>
GRANT EXECTUE ON SYSPROC.SNAPAPPL_INFO_V9 TO <DDM Admin>
If you use the encrypted password option and an ODBC driver, <DDM Admin> must be able to access the SYSIBMADM.SNAPAPPL_INFO database table.
Additional Privilege for SELECT * Statements
If your Dynamic Data Masking security rules need to support column masking on SELECT * statements, you must run the following command:
GRANT SETSESSIONUSER ON PUBLIC TO <DDM Admin>
Alternatively, you can run the following commands:
GRANT SELECT ON <table being queried> TO <DDM Admin>
GRANT EXECUTE ON <user-defined function used in a PL/SQL action or stored program object> TO <DDM Admin>