Db2 for z/OS database privileges

Edit online
Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15
Set database privileges to determine the authority that you must have to create or access your data store tables for Db2 for z/OS® databases.

When you create database schemas using the typical installation or database scripts that are generated using the BPMConfig command-line utility, your user ID must have the authority to create tables. When the tables are created, you must have the authority to select, insert, update, and delete information in the tables.

The following table describes the database privileges that are needed to access the data stores.
Table 1. Database privileges
Minimum privileges that are required to create objects in the database Minimum privileges that are required to access objects in the database
The user ID needs CREATETAB authority on the database and CREATETS to create the table space. The user ID also needs CREATEIN and DROPIN privilege on the schema. To create storage groups for the database, the user ID needs CREATESG, CREATEDBA, and CREATEDBC system privileges. The user ID also needs ALTER, DELETE, INDEX, INSERT, REFERENCES, SELECT, and UPDATE privileges on the created tables. The user ID needs SELECT, INSERT, UPDATE, and DELETE privileges on the tables. The user ID also needs EXECUTE ON PROCEDURE on stored procedures.

See the following table for detailed DB2® for z/OS database privileges for IBM® Business Automation Workflow components.
The following table describes more DB2 for z/OS database privileges for IBM Business Automation Workflow components. The installation privileges are the privileges that are required to install and configure the product. The runtime privileges are the database privileges that are required to run the product.
Table 2. Detailed DB2 for z/OS database privileges
Component Installation and upgrade privileges Runtime privileges
Common DB CREATE TABLE, CREATE INDEXTYPE, ALTER TABLE, INSERT, CREATE SEQUENCE, CREATE USER, ALTER USER, CREATE TABLESPACE SELECT, UPDATE, DELETE, INSERT, CREATE VIEW, CREATE PROCEDURE

The runtime user must have USAGE ON SEQUENCE privileges on all sequences in the createSchema_*.sql script for the common DB.
Business Process Choreographer CREATE TABLE, ALTER TABLE, CREATE VIEW, CREATE TABLESPACE, CREATE USER, CREATE PROCEDURE SELECT, UPDATE, DELETE, INSERT
Messaging Engines CREATE TABLE, CREATE INDEXTYPE SELECT, UPDATE, DELETE, INSERT, DROP ANY TABLE
Note: Messaging Engines use the TRUNCATE TABLE SQL statement, which might require the DROP ANY TABLE privilege. See Database privileges External link opens a new window or tab.
Process Server or Performance Data Warehouse
Required to create the database:
  • CREATESG
  • CREATEDBA
  • CREATEDBC
Required to populate the database with our schemas and stored procedures:
  • CREATETS
  • CREATETAB
  • CREATEIN
  • DROPIN
Additional required privileges on the created tables:
  • ALTER
  • DELETE
  • INDEX
  • INSERT
  • REFERENCES
  • SELECT
  • UPDATE
Required privileges on the tables in the Process and Performance Data Warehouse databases:
  • DELETE
  • INSERT
  • REFERENCES
  • SELECT
  • UPDATE

The runtime user must have EXECUTE ON PROCEDURE privileges on the six stored procedures in the createProcedure_ProcessServer.sql script.

The runtime user requires all of the listed privileges on the Performance Tracking Server database as well. In addition, the user also must be able to create new tables in the Performance Tracking database, requiring the CREATETS and CREATETAB privileges.

To read the system metadata tables, the SELECT permission is required on sysibm.systables, sysibm.sysviews, sysibm.syscolumns, sysibm.syschecks, sysibm.sysrels, sysibm.systabconst, sysibm.systablespace, and, sysibm.sysdummy1.
Content CREATE TABLE, CREATE INDEXTYPE, ALTER TABLE, INSERT, CREATE SEQUENCE, CREATE USER, ALTER USER, CREATE TABLESPACE
  • SYSADM
  • DBADM ON DATABASE
  • USE OF BUFFERPOOL BP32k
  • USE OF STOGROUP DB0FUSR
  • SELECT ON SYSIBM.SYSVERSIONS
  • SELECT ON SYSIBM.DATATYPES
  • SELECT ON SYSIBM.SYSDUMMY1
  • SELECT ON SYSIBM.SYSDATABASE
BPM document store  
  • SYSADM
  • DBADM ON DATABASE
  • USE OF BUFFERPOOL BP32k
  • USE OF STOGROUP DB0FUSR
  • SELECT ON SYSIBM.SYSVERSIONS
  • SELECT ON SYSIBM.DATATYPES
  • SELECT ON SYSIBM.SYSDUMMY1
  • SELECT ON SYSIBM.SYSDATABASE

These permissions for DB2 z/OS are required if you configured support for BPM document store on DB2 z/OS remotely.

When you configure your database for the BPM document store, a database capability that is named EmbeddedECM is used. The privileges listed for the BPM content store are required for the database in the property file containing the EmbeddedECM capability.