Privileges required for common job roles and tasks

The labels of the administrative authorities often suggest the job roles and responsibilities of the users who are empowered with the authorities.

Begin general-use programming interface information. For example, you might expect a system administrator to have the SYSADM authority. However, some organizations do not divide job responsibilities in the same way. The following table lists some of common job roles, the tasks that usually accompany them, and the Db2 authorities or privileges that are needed to perform those tasks.

Table 1. Required privileges for common jobs and tasks
Job title	Tasks	Required privileges
System installation operator	Install or migrate Db2	Installation SYSOPR authority Installation SYSADM authority
System operator	Issues commands to: Start and stop Db2 Control traces Display databases and threads Recover indoubt threads Start, stop, and display routines	SYSOPR authority
System administrator	Performs emergency backup, with access to all data.	SYSADM authority
Security administrator	Authorizes other users, for some or all levels below.	SYSCTRL authority (if SEPARATE_SECURITY is set to NO) SECADM authority ACCESSCTRL authority
Database administrator	Designs, creates, loads, reorganizes, and monitors databases, tables, and other objects in the database.	DBADM authority on a database. The DBADM authority on DSNDB04 allows you access to objects in all implicitly created databases. Use of storage groups and buffer pools
Database administrator	Designs and creates databases, tables, and other objects Administers all databases in the subsystem	System DBADM authority
Database administrator	Manages data and executes plans and packages in a Db2 subsystem	DATAACCESS authority
Database administrator	Manages access to data in a Db2 subsystem	ACCESSCTRL authority
System programmer	Installs a Db2 subsystem. Recovers the Db2 catalog. Repairs data.	Installation SYSADM, which is assigned when Db2 is installed. (Consider securing the password for an ID with this authority so that the authority is available only when needed.)
Application programmer	Develops and tests Db2 application programs. Creates tables of test data.	BIND on existing plans or packages, or BINDADD CREATE IN on some collections Privileges on some objects CREATETAB on some database, with a default table space provided CREATETAB on DSNDB04. It enables you to create tables in DSNDB04 and all implicitly created databases Privileges on some objects with the SQLADM authority
Production binder	Binds, rebinds, and frees application packages and plans	A ROLE, secondary ID, or RACF® group of which the binder has BINDADD, CREATE IN on collections privileges required by application packages and plans
Package administrator	Manages collections and the packages in them, and delegates the responsibilities.	PACKADM authority
User analyst	Defines the data requirements for an application program, by examining the Db2 catalog.	SELECT on the SYSTABLES, SYSCOLUMNS, and SYSVIEWS catalog tables CREATETMTAB system privilege to create temporary tables
Program user	Executes an application program.	EXECUTE for the application plan
Information center consultant	Defines the data requirements for a query user. Provides the data by creating tables and views, loading tables, and granting access.	DBADM authority over some databases SELECT on the SYSTABLES, SYSCOLUMNS, and SYSVIEWS catalog tables
Query user	Issues SQL statements to retrieve, add, or change data. Saves results as tables or in global temporary tables.	EXPLAIN privilege on some tables and views SELECT, INSERT, UPDATE, DELETE on some tables and views CREATETAB, to create tables in other than the default database CREATETAB, to create tables in the implicitly created database CREATETMTAB system privilege to create temporary tables SELECT on SYSTABLES, SYSCOLUMNS, or views thereof. QMF provides the views.

End general-use programming interface information.