Effect of Fragment-Level Authorization in Statement Validation
Fragment-level privilege enables users to execute INSERT, DELETE,
and UPDATE data manipulation language (DML) statements on table fragments,
even if the grantees lack Insert, Update, and Delete privileges on
the table as a whole. Users who lack the table privileges can insert,
delete, and update rows in authorized fragments because of the algorithm
by which the database server validates DML statements. This algorithm
consists of the following checks:
- When a user executes an INSERT, DELETE, or UPDATE statement, the database server first checks whether the user has the table privileges necessary for the operation attempted. If the table privileges exist, the statement continues processing.
- If the table privileges do not exist, the database server checks whether the table is fragmented by expression. If the table is not fragmented by expression, the database server returns an error to the user. This error indicates that the user does not have the privilege to execute the statement.
- If the table is fragmented by expression, the database server checks whether the user holds the fragment privileges necessary for the attempted operation. If the user holds the required fragment privileges, the database server continues to process the statement. If the fragment privileges do not exist, the database server returns an error to the user. This error indicates that the user does not have the privilege to execute the statement.