Ways to control access to Db2 objects through explicit privileges and authorities
You can control access to Db2 user data by granting, not granting, or revoking explicit privileges and authorities.
An explicit privilege is a named privilege that is granted with the GRANT statement or that is revoked with the REVOKE statement. An administrative authority is a set of privileges, often encompassing a related set of objects. Authorities often include privileges that are not explicit, have no name, and cannot be individually granted, such as the ability to terminate any utility job.
Explicit privileges
Explicit privileges provide detailed control. For example, assume that a user needs to select, insert, and update data in a table. To complete these actions, the user needs the SELECT, INSERT, and UPDATE privilege on the table.
Explicit privileges are available for these objects:
- Buffer pools
- Collections
- Databases
- Distinct types
- JARs (a Java™ Archive, which is a file format for aggregating many files into one file)
- Packages
- Plans
- Routines (functions and procedures)
- Schemas
- Sequences
- Storage groups
- Systems
- Tables
- Table spaces
- Views
Administrative authorities
Privileges are grouped into administrative authorities. Those authorities form a hierarchy. Each authority includes a specific group of privileges. The administrative authorities fall into the categories of system, database, and collection authorities. The highest-ranking administrative authority is SYSADM. Each level of authority includes the privileges of all lower-ranking authorities.
The following system authorities are ranked from highest to lowest:
- SYSADM
System administration authority includes all Db2 privileges (except for a few that are reserved for installation), which are all grantable to others.
You can limit the ability of SYSADM to manage access to roles. You can also limit the ability of SYSADM to grant and revoke authorities and privileges.
- SYSCTRL
- System control authority includes most SYSADM privileges, but it excludes the privileges to read or change user data.
- SYSOPR
- System operator authority includes the privileges to issue most Db2 commands and to terminate any utility job.
The following database authorities are ranked from highest to lowest:
- DBADM
- Database administration authority includes the privileges to control a specific database. Users with DBADM authority can access tables and alter or drop table spaces, tables, or indexes in that database.
- DBCTRL
- Database control authority includes the privileges to control a specific database and run utilities that can change data in the database.
- DBMAINT
- Database maintenance authority includes the privileges to work with certain objects and to issue certain utilities and commands in a specific database.
Additional administrative authorities include the following:
- ACCESSCTRL
- Access control authority allows SECADM to delegate the ability to grant and revoke object privileges and most administrative authorities.
- DATAACCESS
- Data access authority controls DBA access to user data in Db2.
- EXPLAIN
- EXPLAIN authority allows a user to issue EXPLAIN, PREPARE, and DESCRIBE statements without requiring the privilege to execute the statement.
- PACKADM
- Package administrator authority gives access to designated collections.
- SECADM
- Security administrator authority allows a user to manage access to a table in Db2, but cannot create, alter or drop a table.
- SQLADM
- SQL administrator authority provides the ability to monitor and tune SQL without any additional privileges.