Default privileges granted on creating a database

When you create a database, default database level authorities and default object level privileges are granted to you within that database.

The authorities and privileges that you are granted are listed according to the system catalog views where they are recorded:

  1. SYSCAT.DBAUTH
    • The database creator is granted the following authorities:
      • ACCESSCTRL
      • DATAACCESS
      • DBADM
      • SECADM
  2. SYSCAT.TABAUTH
    In a non-restrictive database, the special group PUBLIC is granted the following privileges:
    • SELECT on all SYSCAT and SYSIBM tables
    • SELECT and UPDATE on all SYSSTAT tables
    • SELECT on the following views in schema SYSIBMADM:
      • ALL_*
      • USER_*
      • ROLE_*
      • SESSION_*
      • DICTIONARY
      • TAB
  3. SYSCAT.ROUTINEAUTH
    In a non-restrictive database, the special group PUBLIC is granted the following privileges:
    • EXECUTE with GRANT on all procedures in schema SQLJ
    • EXECUTE with GRANT on all functions and procedures in schema SYSFUN
    • EXECUTE with GRANT on most functions and procedures in schema SYSPROC, for a list of exceptions see Default PUBLIC privilege for built-in routines
    • EXECUTE on all table functions in schema SYSIBM
    • EXECUTE on all other procedures in schema SYSIBM
  4. SYSCAT.MODULEAUTH
    In a non-restrictive database, the special group PUBLIC is granted the following privileges:
    • EXECUTE on the following modules in schema SYSIBMADM:
      • DBMS_DDL
      • DBMS_JOB
      • DBMS_LOB
      • DBMS_OUTPUT
      • DBMS_SQL
      • DBMS_STANDARD
      • DBMS_UTILITY
  5. SYSCAT.PACKAGEAUTH
    • The database creator is granted the following privileges:
      • CONTROL on all packages created in the NULLID schema
      • BIND with GRANT on all packages created in the NULLID schema
      • EXECUTE with GRANT on all packages created in the NULLID schema
    • In a non-restrictive database, the special group PUBLIC is granted the following privileges:
      • BIND on all packages created in the NULLID schema
      • EXECUTE on all packages created in the NULLID schema
  6. SYSCAT.WORKLOADAUTH

    In a non-restrictive database, the special group PUBLIC is granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.

  7. SYSCAT.VARIABLEAUTH
    In a non-restrictive database, the special group PUBLIC is granted the READ privilege on schema global variables in the SYSIBM schema, execpt for the following variables:
    • SYSIBM.CLIENT_ORIGUSERID
    • SYSIBM.CLIENT_USRSECTOKEN

A non-restrictive database is a database created without the RESTRICTIVE option on the CREATE DATABASE command.