Data access administration authority (DATAACCESS)
DATAACCESS is the authority that allows access to data within a specific database.
DATAACCESS authority can be granted only by the security administrator (who holds SECADM authority). It can be granted to a user, a group, or a role. PUBLIC cannot obtain the DATAACCESS authority either directly or indirectly.
For all tables, views, materialized query tables, and nicknames it gives these authorities and privileges:
- LOAD authority on the database
- SELECT privilege (including system catalog tables and views)
- INSERT privilege
- UPDATE privilege
- DELETE privilege
In addition, DATAACCESS authority provides the following privileges:
- EXECUTE on all packages
Note: With the release of the Db2 220.127.116.11 security special build 41268, the DATAACCESS authority cannot execute the SYSIBMADM.UTL_DIR module unless the DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable is set to UTL_DIR_DATAACCESS.
- EXECUTE on all routines (except audit routines, the SET_MAINT_MODE_RECORD_NO_TEMPORALHISTORY procedure, and the encryption related routines ADMIN_ROTATE_MASTER_KEY and ADMIN_GET_ENCRYPTION_INFO)
- EXECUTE on all modules
- READ on all global variables and WRITE on all global variables except variables which are read-only
- USAGE on all XSR objects
- USAGE on all sequences