Administrative authorities in Db2 for z/OS

Each administrative authority in Db2 for z/OS is vested with a specific set of privileges.

Begin general-use programming interface information.

The following table lists the Db2 for z/OS administrative authorities and the grantable privileges that each of them has.

Table 1. Administrative authorities and their grantable privileges
Authority Included authorities Additional grantable privileges
Installation SYSADM SYSADM, SYSCTRL, Installation SYSOPR, SYSOPR, SECADM, ACCESSCTRL,System DBADM, DATAACCESS, DBADM, DBCTRL, DBMAINT, PACKADM Privileges on security:
GRANT  REVOKE
SYSADM Start of changeSYSCTRL, Installation SYSOPR (except for accessing Db2 when the subsystem is started with ACCESS(MAINT), or issuing the ACTIVATE command or running the CATMAINT utility), SYSOPR, SECADM Start of change1, 2End of change, ACCESSCTRL, System DBADM, DATAACCESS, SQLADM, DBADM, DBCTRL, DBMAINT, PACKADMEnd of change Privileges on all plans:
EXECUTE
Privileges on all routines:
EXECUTE
Privileges on all packages:
All privileges
Privileges on distinct types:
USAGE
Privileges on sequences:
USAGE
System privileges:
DEBUGSESSION
EXPLAIN privilege
SYSCTRL Start of changeInstallation SYSOPR (except for accessing Db2 when the subsystem is started with ACCESS(MAINT), or issuing the ACTIVATE command or running the CATMAINT utility), SYSOPR, ACCESSCTRL (except the ability to grant certain authorities, such as SYSADM, DBADM, PACKADM, and certain privileges, such as DELETE, INSERT, SELECT, and UPDATE on user tables or views, EXECUTE on plans, packages, functions, or stored procedures, PACKADM on collections, and USAGE on distinct types, JARs, and sequences) DBCTRL, DBMAINT, End of change System privileges:
BINDADD  BINDAGENT  BSDS    
CREATEALIAS  CREATEDBA  CREATEDBC
CREATESG  CREATETMTAB  MONITOR1
MONITOR2  STOSPACE
Privileges on all tables:
ALTER  INDEX  REFERENCES  TRIGGER
Privileges on all catalog tables:
SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):
DELETE  INSERT  UPDATE
Privileges on all plans:
BIND
Privileges on all packages:
BIND  COPY
Privileges on all collections:
CREATEIN
Privileges on all schemas:
ALTERIN  CREATEIN  DROPIN
Privileges on use:
BUFFERPOOLS  STOGROUP  TABLESPACE
Installation SYSOPR SYSOPR System privileges:
Start of changeARCHIVE  BINDAGENT
STARTDB (cannot alter access mode)End of change
Start of changePrivileges on system-defined packages and routines:End of change
Start of changeEXECUTEEnd of change
Start of changePrivileges on all catalog tables:End of change
Start of changeSELECTEnd of change
Start of changePrivileges on updatable catalog tables (except SYSAUDITPOLICIES):End of change
Start of changeDELETE  INSERT  UPDATEEnd of change
SYSOPR None Privileges:
DISPLAY  RECOVER  STOPALL  TRACE
Privileges on routines:
DISPLAY  START  STOP
System DBADM SQLADM
System privileges:
BINDADD  BINDAGENT  CREATEALIAS
CREATEDBA  CREATEDBC  CREATETMTAB
DISPLAY  EXPLAIN  MONITOR1
MONITOR2  SQLADM  STOPALL
TRACE
Privileges on all collections:
CREATEIN
Privileges on all user databases:
CREATETAB  CREATETS  DISPLAYDB
DROP  IMAGCOPY  RECOVERDB
STARTDB  Start of changeSTATSEnd of change STOPDB
Privileges on all user tables (except for those defined with row permissions or column masks):
ALTER  INDEX  REFERENCES  TRIGGER
Privileges on all packages:
BIND  COPY
Privileges on all plans:
BIND
Privileges on system-defined packages and routines:
EXECUTE
Privileges on all schemas:
ALTERIN  CREATEIN  DROPIN
Privileges on all sequences:
ALTER
Privileges on all distinct types:
USAGE
Privileges on use:
TABLESPACE
Privileges on all catalog tables:
SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):
DELETE  INSERT  UPDATE
SECADM ACCESSCTRL Privileges on all catalog tables:
SELECT
Privileges on all updatable catalog tables:
DELETE  INSERT  UPDATE
Privileges on security:
GRANT  REVOKE
Privileges on security-related objects:
ALTER  CREATE  DROP
ACCESSCTRL None Privileges on all catalog tables:
SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):
DELETE  INSERT  UPDATE
Privileges on security:
GRANT  REVOKE
DATAACCESS None System privileges:
DEBUGSESSION
Privileges on all user tables, views, and MQTs:
DELETE  INSERT  SELECT  UPDATE
Privileges on all plans, packages, and routines:
EXECUTE
Privileges on all user databases:
LOAD  RECOVERDB  REORG  REPAIR
Privileges on all JARs:
USAGE
Privileges on all sequences:
USAGE
Privileges on all distinct types:
USAGE
Privileges on all catalog tables:
SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):
DELETE  INSERT  UPDATE
SQLADM None System privileges:
EXPLAIN  MONITOR1  MONITOR2
Privileges on system-defined packages and routines:
EXECUTE
Privileges on all catalog tables:
SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):
DELETE  INSERT  UPDATE
Start of changePrivileges on all user databases:End of change
Start of changeSTATSEnd of change
DBADM DBCTRL, DBMAINT Privileges on tables in a database:
ALTER  DELETE  INDEX  INSERT
REFERENCES  SELECT  TRIGGER  UPDATE
Privileges on views:
DROP
DBCTRL DBMAINT Privileges on a database:
DROP  LOAD  RECOVERDB
REORG  REPAIR
DBMAINT None Privileges on a database:
CREATETAB  CREATETS  DISPLAYDB  IMAGCOPY      
STATS  STARTDB  STOPDB
PACKADM None Privileges on a collection:
CREATEIN
Privileges on all packages in a collection:
BIND  COPY  EXECUTE
Note:
  1. Except when the SEPARATE_SECURITY subsystem parameter value is YES. For more information, see SEPARATE SECURITY field (SEPARATE_SECURITY subsystem parameter).
  2. Use of following security capabilities always requires SECADM authority, regardless of the SEPARATE_SECURITY setting.
End general-use programming interface information.