Access control administration authority (ACCESSCTRL)

ACCESSCTRL authority is the authority required to grant and revoke privileges on objects within a specific database. ACCESSCTRL authority has no inherent privilege to access data stored in tables, except the catalog tables and views.

ACCESSCTRL authority can only be granted by the security administrator (who holds SECADM authority). It can be granted to a user, a group, or a role. PUBLIC cannot obtain the ACCESSCTRL authority either directly or indirectly. ACCESSCTRL authority gives a user the ability to perform the following operations:
  • Grant and revoke the following administrative authorities:
    • EXPLAIN
    • SQLADM
    • WLMADM
  • Grant and revoke the following database authorities:
    • BINDADD
    • CONNECT
    • CREATETAB
    • IMPLICIT_SCHEMA
    • LOAD
    • QUIESCE_CONNECT
    Note: In Db2® 11.5.7 and later, to grant CREATE_EXTERNAL_ROUTINE authority, SYSADM authority is needed. If the DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable is set and contains the value EXTERNAL_ROUTINE_DBAUTH, then SYSADM, SECADM, or ACCESSCTRL authority is needed. Also, in Db2 11.5.7 and later, to grant CREATE_NOT_FENCED_ROUTINE authority, SYSADM authority is needed. If the DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable is set and contains the value NOT_FENCED_ROUTINE_DBAUTH, then SYSADM, SECADM, or ACCESSCTRL authority is needed.
  • Grant and revoke all privileges on the following objects, regardless who granted the privilege:
    • Global Variable
    • Index
    • Nickname
    • Package
    • Routine (except audit routines)
    • Schema
    • Sequence
    • Server
    • Table
    • Table Space
    • View
    • XSR Objects
  • SELECT privilege on the system catalog tables and views

This authority is a subset of security administrator (SECADM) authority.