The system implicitly grants ownership of any object to the owner of the space that contains the object. The owning user is the parent and any users contained in the owner space are child users. In turn, a child becomes the parent of any new users it creates. All owners and parents within the ownership hierarchy implicitly possess certain privileges on all lower-level objects contained in the space they own.
Implicit privileges for an owner/parent are similar to the privileges a creator automatically receives on a created object, as listed in Privilege Dictionary, except that the system does not insert rows for implicit privileges in the DBC.AccessRights table as it does for a creator.
Ownership privileges normally include the discretionary privilege to grant full access on any owned object to other users, unless the object is protected by row level security, in which case user access to the object is limited by security constraint assignments. Owners do not have the privilege to administer security constraints unless they are granted the CONSTRAINT DEFINITION and CONSTRAINT ASSIGNMENT privileges. See Implementing Row Level Security.
Ownership is subject to these additional rules:
- You cannot revoke ownership privileges.
- Privileges implicitly available to an owner are not all inclusive, but an owner/parent may grant itself additional privileges on any objects that its child users own.
- A user does not own itself, and therefore does not have implicit privileges on itself. Created users do receive some automatic privileges. See Automatic Privileges.
- Although the DBC.AccessRights table does not list ownership privileges, these privileges are subject to access logging, if it is enabled. For information on access logging, see Monitoring Database Access.
Site security policy must take into account the ownership hierarchy and resulting implicit privileges in setting guidelines for creating databases and users.
For further information on creating databases, see Database Administration.