DB2 Permissions

There are two sets of permissions involved with the in-database software.
  • The first set of permissions is needed by the person who publishes the SAS_COMPILEUDF and SAS_DELETEUDF functions and creates the SASUDF_COMPILER_PATH and SASUDF_DB2PATH global variables.
    These permissions must be granted before the %INDB2_PUBLISH_COMPILEUDF and %INDB2_PUBLISH_DELETEUDF macros are run. Without these permissions, running these macros fails.
    The following table summarizes the permissions that are needed by the person who publishes the functions and creates the global variables.
    Permission Needed
    Authority Required to Grant Permission
    Examples
    CREATEIN permission for the SASLIB schema in which the SAS_COMPILEUDF and SAS_DELETEUDF functions are published and the SASUDF_COMPILER_PATH and SASUDF_DB2PATH global variables are defined
    System Administrator or Database Administrator
    Note: If you have SYSADM or DBADM authority or are the DB2 instance owner, then you have these permissions. Otherwise, contact your database administrator to obtain these permissions.
    GRANT CREATEIN ON SCHEMA SASLIB 
    TO compiledeletepublisheruserid
    CREATE_EXTERNAL_ROUTINE permission to the database in which the SAS_COMPILEUDF and SAS_DELETEUDF functions are published
    GRANT CREATE_EXTERNAL_ROUTINE ON 
    DATABASE TO 
    compiledeletepublisheruserid
  • The second set of permissions is needed by the person who publishes the format or scoring model functions. The person who publishes the format or scoring model functions is not necessarily the same person who publishes the SAS_COMPILEUDF and SAS_DELETEUDF functions and creates the SASUDF_COMPILER_PATH and SASUDF_DB2PATH global variables. These permissions are most likely needed by the format publishing or scoring model developer. Without these permissions, the publishing of the format or scoring model functions fails.
    Note: Permissions must be granted for every format or scoring model publisher and for each database that the format or scoring model publishing uses. Therefore, you might need to grant these permissions multiple times.
    Note: If you are using the SAS Embedded Process to run your scoring functions, only the CREATE TABLE permission is needed.
    After the DB2 permissions have been set appropriately, the format or scoring publishing macro should be called to register the formats or scoring model functions.
    The following table summarizes the permissions that are needed by the person who publishes the format or scoring model functions.
    Permission Needed
    Authority Required to Grant Permission
    Examples
    EXECUTE permission for functions that have been published.
    This enables the person who publishes the formats or scoring model functions to execute the SAS_COMPILEUDF and SAS_DELETEUDF functions.
    System Administrator or Database Administrator
    Note: If you have SYSADM or DBADM authority, then you have these permissions. Otherwise, contact your database administrator to obtain these permissions.
    GRANT EXECUTE ON FUNCTION 
    SASLIB.* TO 
    scoringorfmtpublisherid
    CREATE_EXTERNAL_ROUTINE permission to the database to create format or scoring model functions
    GRANT CREATE_EXTERNAL_ROUTINE ON 
    DATABASE TO 
    scoringorfmtpublisherid
    CREATE_NOT_FENCED_ROUTINE permission to create format or scoring model functions that are not fenced
    GRANT CREATE_NOT_FENCED_ROUTINE 
    ON DATABASE TO 
    scoringorfmtpublisherid
    CREATEIN permission for the schema in which the format or scoring model functions are published if the default schema (SASLIB) is not used
    GRANT CREATEIN ON SCHEMA 
    scoringschema TO 
    scoringorfmtpublisherid
    CREATE TABLE permission to create the model table used in with scoring and the SAS Embedded Process
    GRANT CREATETAB TO 
    scoringpublisherSEPid
    READ permission to read the SASUDF_COMPILER_PATH and SASUDF_DB2PATH global variables
    Note: The person who ran the %INDB2_PUBLISH_COMPILEUDF macro has these READ permissions and does not need to grant them to himself or herself again.
    Person who ran the %INDB2_PUBLISH_COMPILEUDF macro
    Note: For security reasons, only the user who created these variables has the permission to grant READ permission to other users. This is true even for the user with administrator permissions such as the DB2 instance owner.
    GRANT READ ON VARIABLE 
    SASLIB.SASUDF_DB2PATH TO 
    scoringorfmtpublisherid
    
    GRANT READ ON VARIABLE 
    SASLIB.SASUDF_COMPILER_PATH
    TO scoringorfmtpublisherid
Note: If you plan to use SAS Model Manager with the SAS Scoring Accelerator for in-database scoring, additional permissions are required. For more information, see Configuring SAS Model Manager.
Last updated: February 9, 2017