Installation SYSOPR administrative authority

No IDs can revoke the installation SYSOPR authority; you can remove it only by changing the module that contains the subsystem initialization parameters (typically DSNZPARM).

In addition, the installation SYSOPR authority is not recorded in the Db2 catalog. Therefore, the catalog does not need to be available to check the installation SYSOPR authority.

IDs with the installation SYSOPR authority can perform the following actions:

• Access Db2 when the subsystem is started with ACCESS(MAINT).
• Access all catalog tables and tables in the system databases.
• Have the BINDAGENT privilege to specify the owner of a package, free a package, and bind or free a plan.
• Issue the -ACTIVATE command to activate new capabilities in Db2.
• Issue dynamic SQL statements that are not controlled by the Db2 resource limit facility.
• Issue the START DATABASE command to recover objects that have LPL entries or group buffer pool RECOVERY-pending status. These IDs cannot change the access mode.
• Run all allowable utilities on the directory and catalog databases (DSNDB01 and DSNDB06).
• Run the CATMAINT utility to install or migrate to Db2.
• Run the REPAIR utility with the DBD statement.
• Start and stop the database that contains the application registration table (ART) and the object registration table (ORT).
• Set the SQL ID field to SYSINSTL, regardless of the SEPARATE SECURITY setting.

The following tables summarizes any included authorities, and privileges held and grantable to others, by the installation SYSOPR administrative authority.

Table 1. Included authorities and grantable privileges for installation SYSOPR authority

Included authorities	SYSOPR
Additional grantable privileges	System privileges: ARCHIVE  BINDAGENT STARTDB (cannot alter access mode) Privileges on system-defined packages and routines: EXECUTE Privileges on all catalog tables: SELECT Privileges on updatable catalog tables (except SYSAUDITPOLICIES): DELETE  INSERT  UPDATE