Protecting Db2 administrative authorities

Db2 administrative authorities often include privileges that are not explicit, have no name, and cannot be specifically granted. For example, the ability to terminate any utility job is included in the SYSOPR authority.

During authorization checking, if a user is not permitted access to the object through the object's resource profile, subsequent checks are made to determine if the user has been permitted access to system resources through their administrative authorities. These checks are made using profiles in the Db2 administrative authority class DSNADM. Db2 includes the SQLADM administrative authority in the MDSNSM GDSNSM classes.

The administrative authorities that apply to a particular invocation of the RACF access control module, depend on the input object type (XAPLTYPE) and the privilege being checked (XAPLPRIV).

Like the names used to protect Db2 objects, the general resource class and profile names used to protect Db2 administrative authorities depend on the options specified with the assembler SET symbols.