Managing administrative authorities

Db2 provides a range of auditable administrative authorities that help you control access to sensitive business data. The granularity and flexibility in Db2 administrative authority help you achieve adequate separation of duties and responsibilities and prevent a single user from possessing unlimited privileges.

Depending on the setting of the SEPARATE_SECURITY subsystem parameter, you can separate Db2 security administration, database administration, and data access control from system administration. You can set the parameter by using the SEPARATE SECURITY field on panel DSNTIPP1 during installation or migration. The SEPARATE_SECURITY subsystem parameter does not apply to or affect users with installation SYSADM authority.

If you set SEPARATE_SECURITY to YES, the SYSADM authority can no longer manage security-related objects (such as roles, trusted contexts, row permissions, and column masks) or have the ability to grant or revoke privileges that are granted by others. The SYSCTRL authority can no longer manage roles or grant or revoke privileges that are granted by others, either. Instead, the SECADM authority will manage all security-related objects. The SECADM and ACCESSCTRL authorities control access to all databases even though they cannot access any user data in the databases.

In addition, the SYSADM authority can only set CURRENT SQLID to its primary or one of its secondary authorization IDs. The SYSADM, SYSCTRL, and system DBADM authorities can only set BIND OWNER to the primary or one of the secondary authorization IDs of the binder. Finally, the SYSADM authority will not have implicit insert, update, delete access to the SYSIBM.SYSAUDITPOLICIES table.

If you set SEPARATE_SECURITY to NO (which is the default), the SYSADM authority retains all the existing privileges and responsibilities and gets implicit privileges of the SECADM authority. In other words, the SYSADM authority continues to be the security administrator and manage all security-related objects, perform grants, and revoke privileges that are granted by others. In addition, it gets implicit insert, update, delete access on the SYSIBM. SYSAUDITPOLICIES table and is able to set CURRENT SQLID and BIND OWNER to any value.

Setting SEPARATE_SECURITY to NO also allows the SYSCTRL authority to get most of the implicit privileges of the ACCESSCTRL authority. SYSCTRL can manage roles, perform certain grants, revoke privileges that are granted by others, and set BIND OWNER to any value.

The installation SYSADM authority is not affected by the setting of the SEPARATE_SECURITY parameter. Installation SYSADM can manage security-related objects, grant and revoke authorities or privileges, and set CURRENT SQLID and BIND OWNER to any value regardless of the setting of the SEPARATE_SECURITY parameter.