SECADM administrative authority

With the SECADM authority, you can perform the following tasks:

• Create, alter, drop, and comment on row permissions
• Create, alter, drop, and comment on column masks
• Activate and deactivate row access control
• Activate and deactivate column access control
• Create, drop, and comment on roles
• Create, alter, drop, and comment on trusted contexts
• Create and comment on secure triggers and user-defined functions
• Alter the SECURED or NOT SECURED clause on triggers and user-defined functions
• Create audit policies by inserting rows into the SYSIBM.SYSAUDITPOLICIES catalog table
• Access and update the SYSIBM.SYSAUDITPOLICIES catalog table which records audit policy definitions
• Has implicit SELECT access on all catalog tables and implicit INSERT, DELETE, and UPDATE privileges on updatable catalog tables, when the SQL statements are issued dynamically
• Grant and revoke all grantable privileges and authorities
• Issue the SQL statement TRANSFER OWNERSHIP
• Issue the TRACE command to start, stop, and display a trace
• Set the values of security parameters

If the SEPARATE_SECURITY system parameter is set to YES, no other authority can grant the ACCESSCTRL, System DBADM, and DATAACCESS authorities or the CREATE_SECURE_OBJECT privilege, not even SYSADM. For example, only SECADM, not SYSADM or DBADM, can activate or deactivate row or column access control for a table.

The following tables summarizes any included authorities, and privileges held and grantable to others, by the SECADM administrative authority.