SYSADM

Regardless of the SEPARATE_SECURITY setting, an authorization ID or role with the SYSADM authority can perform the following actions. If SEPARATE_SECURITY is set to NO, it can also grant other IDs the required privileges to perform the same actions.

• Use all the privileges of DBADM over any database
• Use EXECUTE privileges on all packages
• Use EXECUTE privileges on all routines
• Use USAGE privilege on distinct types, JARs, and sequences
• Use BIND on any plan and COPY on any package
• Use privileges over views that are owned by others
• Create and drop synonyms and views for other IDs on any table
• Drop database DSNDB07

An authorization ID or role with the SYSADM authority can also perform the following actions but cannot grant other IDs the privileges to perform them:

• Drop or alter any Db2 object, except system databases
• Issue a COMMENT ON statement for any table, view, index, column, package, plan
• Issue a LABEL ON statement for any table or view
• Terminate any utility job
• Create roles and trusted contexts (if SEPARATE_SECURITY is set to NO)
• Set the current SQL ID to any valid value (if SEPARATE_SECURITY is set to NO)
• Use any valid value for OWNER in BIND or REBIND (if SEPARATE_SECURITY is set to NO)

Although an authorization ID or role with the SYSADM authority cannot grant the preceding privileges explicitly, it can accomplish this goal by granting to other IDs the SYSADM authority.

Regardless of the SEPARATE_SECURITY setting, an authorization ID or role with the SYSADM authority can revoke any privileges that were granted by itself. When SEPARATE_SECURITY is set to NO, the same ID or role can also revoke privileges that were granted by others. However, when SEPARATE_SECURITY is set to YES, the same ID or role cannot revoke privileges that were granted by others.