SETSESSIONAUTH Clause

The GRANT SETSESSIONAUTH statement grants the SETSESSIONAUTH privilege to one or more users or roles. This privilege allows the holder to use the SET SESSION AUTHORIZATION statement to set the session authorization to PUBLIC or to any one of a list of specified users.

SETSESSIONAUTH Clause

1   SETSESSIONAUTH ON
2.1   PUBLIC
2.1 + ,?  USER user   TO
2.1+ ,
2.1 ?  USER user
2.1 ?  ROLE role

Element Description Restrictions Syntax
role Role to which the privilege is to be granted Must be the authorization identifier of a role Owner name
user After the TO keyword, a user to whom the privilege is to be granted. After the ON keyword, a user whose identity the grantee can specify in the SET AUTHORIZATION statement. Must be the authorization identifier of a user Owner name

Only a user who holds the DBSECADM role can grant the SETSESSIONAUTH privilege. Both the SETSESSIONAUTH privilege and the DBA privilege are required to execute the SET AUTHORIZATION statement.

The user or PUBLIC specification that follows the ON keyword specifies whose identity the grantee of the SETSESSIONAUTH privilege can take while using SET SESSION AUTHORIZATION statement. This can be a user or PUBLIC but not a role. If PUBLIC is specified, then the grantee of the privilege can assume the identity of any database user.

The USER and ROLE keywords that can follow the TO keyword are optional. Neither the user nor the role can be the holder of the DBSECADM role who issues the GRANT SETSESSIONAUTH statement. The TO clause cannot specify PUBLIC as the grantee.

The following example grants to user sam the ability to set the session authorization to users lynette and manoj: 
GRANT SETSESSIONAUTH ON lynette, manoj TO sam;
The next example grants to user lynette the ability to set the session authorization to PUBLIC: 
GRANT SETSESSIONAUTH ON PUBLIC TO lynette;

Only a user who holds the DBSECADM role can revoke the SETSESSIONAUTH privilege. For a discussion of LBAC security objects, see your HCL OneDB™ Security Guide