Granting and revoking privileges with the ACCESSCTRL authority

If you separate database administration from system and security administration, a database administrator must have the ACCESSCTRL or SECADM authority to grant or revoke user privileges in a Db2 subsystem.

About this task

Begin general-use programming interface information. The ACCESSCTRL authority allows you to grant and revoke (BY clause) privileges on all resources in a Db2 subsystem. However, it cannot grant the CREATE_SECURE_OBJECT privilege or the system DBADM, DATAACCESS, and ACCESSCTRL authorities.

If you are a database administrator DB2ADMIN1 and need to grant application developer APPDEV1 load privileges on DBTEMP1, you must first have the ACCESSCTRL authority for yourself.

Procedure

To grant or revoke privileges with the ACCESSCTRL authority:

Obtain the ACCESSCTRL authority from a security administrator.
The SECADM (an authorization ID or role) can grant you the ACCESSCTRL authority by issuing the following statement:
```
GRANT ACCESSCTRL ON SYSTEM TO DB2ADMIN1;
```
Db2 inserts a row in SYSIBM.SYSUSERAUTH with the new column ACCESSCTRLAUTH set to 'Y', where column GRANTEE is set to DB2ADMIN.1.

You can specify WITH GRANT OPTION when you issue the GRANT statement, but the option is ignored when the authority is ACCESSCTRL, DBADM, or DATAACCESS.
After obtaining the ACCESSCTRL authority, grant APPDEV1 load privileges on DBTEMP1 by issuing the following GRANT statement:
```
GRANT LOAD ON DATABASE DBTEMP1 TO APPDEV1;
```
Db2 checks to make sure that you have the required privilege set, including the GRANT privilege that is allowed by the ACCESSCTRL authority. The GRANT statement completes successfully.