Support for roles and user identity

You can use roles with SPL routines. You can execute role-related SQL statements (CREATE ROLE, DROP ROLE, GRANT, REVOKE, and SET ROLE) and a user who holds the SETSESSIONAUTH privilege can issue SET SESSION AUTHORIZATION statements in an SPL routine. Within an SPL routine, you can also use the GRANT statement
  • to grant discretionary access privileges to roles,
  • or grant label-based access credentials (LBAC) to roles,
  • or grant other roles to roles.
An SPL routine can also use the REVOKE statement to cancel the access privileges, the LBAC credentials, or the roles that a role holds.

Access privileges, roles, and LBAC credentials that a user has acquired in an SPL routine by enabling a role or by a SET SESSION AUTHORIZATION statement are not automatically relinquished after the SPL routine that granted the privilege, role, or LBAC credential completes execution. What was granted persists until a subsequent REVOKE operation cancels the effect of the GRANT operation.

For further information about roles, see the CREATE ROLE statement, DROP ROLE statement, GRANT statement, REVOKE statement, and SET ROLE statement in Chapter 2.