Administrative authorities

Within Db2, privileges are grouped into administrative authorities, and each administrative authority is vested with a specific set of privileges.

Begin general-use programming interface information.

The following table lists all of the Db2 for z/OS® administrative authorities and the grantable privileges that each of them has.

Table 1. Administrative authorities and grantable privileges
Authority	Included authorities	Additional grantable privileges
ACCESSCTRL	None	Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): DELETE INSERT UPDATE Privileges on security: GRANT REVOKE
DATAACCESS	None	System privileges: DEBUGSESSION Privileges on all user tables, views, and MQTs: DELETE INSERT SELECT UPDATE Privileges on all plans, packages, and routines: EXECUTE Privileges on all user databases: LOAD RECOVERDB REORG REPAIR Privileges on all JARs: USAGE Privileges on all sequences: USAGE Privileges on all distinct types: USAGE Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): DELETE INSERT UPDATE
DBADM	DBCTRL, DBMAINT	Privileges on tables in a database: ALTER DELETE INDEX INSERT REFERENCES SELECT TRIGGER UPDATE
DBCTRL	DBMAINT	Privileges on a database: DROP LOAD RECOVERDB REORG REPAIR
DBMAINT	None	Privileges on a database: CREATETAB CREATETS DISPLAYDB IMAGCOPY STATS STARTDB STOPDB
Installation SYSADM	SYSADM, SYSCTRL, DBADM, Installation SYSOPR, SYSOPR, PACKADM, DBCTRL, DBMAINT, SECADM, System DBADM, SQLADM, ACCESSCTRL, DATAACCESS	Privileges on security: GRANT REVOKE
Installation SYSOPR	SYSOPR	System privileges: ARCHIVE STARTDB (cannot alter access mode)
PACKADM	None	Privileges on a collection: CREATEIN Privileges on all packages in a collection: BIND COPY EXECUTE
SECADM	ACCESSCTRL	Privileges on all catalog tables: SELECT Privileges on all updatable catalog tables: DELETE INSERT UPDATE Privileges on security: GRANT REVOKE Privileges on security-related objects: ALTER CREATE DROP
SQLADM	None	System privileges: EXPLAIN MONITOR1 MONITOR2 Privileges on system-defined packages and routines: EXECUTE Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): DELETE INSERT UPDATE Privileges on all user databases: STATS
SYSADM	SYSCTRL, DBADM, Installation SYSOPR (except accessing Db2 when the subsystem is started with ACCESS(MAINT)), SYSOPR, PACKADM, DBCTRL, DBMAINT, SECADM, System DBADM, SQLADM, ACCESSCTRL, DATAACCESS	Privileges on all plans: EXECUTE Privileges on all routines: EXECUTE Privileges on all packages: All privileges Privileges on distinct types: USAGE Privileges on sequences: USAGE System privileges: DEBUGSESSION EXPLAIN privilege
SYSCTRL	Installation SYSOPR (except accessing Db2 when the subsystem is started with ACCESS(MAINT)), SYSOPR, DBCTRL, DBMAINT, ACCESSCTRL (except the ability to grant certain authorities, such as DBADM, SYSADM, PACKADM, and certain privileges, such as DELETE, INSERT, SELECT, and UPDATE on user tables or views, EXECUTE on plans, packages, functions, or stored procedures, PACKADM on collections, and USAGE on distinct types, JARs, and sequences)	System privileges: BINDADD BINDAGENT BSDS CREATEALIAS CREATEDBA CREATEDBC CREATESG CREATETMTAB MONITOR1 MONITOR2 STOSPACE Privileges on all tables: ALTER INDEX REFERENCES TRIGGER Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): DELETE INSERT UPDATE Privileges on all plans: BIND Privileges on all packages: BIND COPY Privileges on all collections: CREATEIN Privileges on all schemas: ALTERIN CREATEIN DROPIN Privileges on use: BUFFERPOOLS STOGROUP TABLESPACE
SYSOPR	None	Privileges: DISPLAY RECOVER STOPALL TRACE Privileges on routines: DISPLAY START STOP
System DBADM	SQLADM	System privileges: BINDADD BINDAGENT CREATEALIAS CREATEDBA CREATEDBC CREATETMTAB DISPLAY EXPLAIN MONITOR1 MONITOR2 SQLADM STOPALL TRACE Privileges on all collections: CREATEIN Privileges on all user databases: CREATETAB CREATETS DISPLAYDB DROP IMAGCOPY RECOVERDB STARTDB STATS STOPDB Privileges on all user tables (except for those defined with row permissions or column masks): ALTER INDEX REFERENCES TRIGGER Privileges on all packages: BIND COPY Privileges on all plans: BIND
System DBADM (continued)	SQLADM	Privileges on system-defined packages and routines: EXECUTE Privileges on all schemas: ALTERIN CREATEIN DROPIN Privileges on all sequences: ALTER Privileges on all distinct types: USAGE Privileges on use: TABLESPACE Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): DELETE INSERT UPDATE

End general-use programming interface information.