Adding %DB resource effect

Creating a new resource by itself does not grant access to anyone. Resources are used when they are assigned in security configuration, such as to roles, and then those roles are granted to users. The examples for role management show resources being added to a role via the role’s Resources property, and access checking is then done against the resource/permission pair. [1][2]

For database access specifically, creating a resource such as %DB_X is not enough on its own. You must also assign that resource to the database by changing the database’s Resource Name; otherwise the database will continue using whatever resource is currently assigned to it. This is shown in the example where %DB_Database1 and %DB_Database2 only worked as intended after they were assigned to the corresponding databases. [3]

So if you add %DB_X and do nothing else, there should be no immediate access effect from that alone. It only becomes relevant when:

1. the database is configured to use %DB_X, and/or
2. roles are granted permissions such as :R on %DB_X, and
3. users obtain those roles. [3][2]

If your goal is a read-only role, the examples show that database read access is expressed by assigning :R on the database resource in the role, for example %DB_USER:R. [2][4]

Sources: