![Start of change](KC_ROOT/images/ddita/delta.gif)
SECADM
The SECADM authority enables you to manage security-related objects in DB2® and control access to all database resources. It does not have any inherent privilege to access data stored in the objects, such as tables.
![Begin general-use programming interface information.](../cmn/../art/gupi_opn.gif)
- Create, alter, drop, and comment on row permissions
- Create, alter, drop, and comment on column masks
- Activate and deactivate row access control
- Activate and deactivate column access control
- Create, drop, and comment on roles
- Create, alter, drop, and comment on trusted contexts
- Create and comment on secure triggers and user-defined functions
- Alter the SECURED or NOT SECURED clause on triggers and user-defined functions
- Create audit policies by inserting rows into the SYSIBM.SYSAUDITPOLICIES catalog table
- Access and update the SYSIBM.SYSAUDITPOLICIES catalog table which records audit policy definitions
- Has implicit SELECT access on all catalog tables and implicit INSERT, DELETE, and UPDATE privileges on updatable catalog tables
- Grant and revoke all grantable privileges and authorities
- Issue the TRACE command to start, stop, and display a trace
If the SEPARATE_SECURITY system parameter is set to YES, no other authority can grant the ACCESSCTRL, System DBADM, and DATAACCESS authorities or the CREATE_SECURE_OBJECT privilege, not even SYSADM. For example, only SECADM, not SYSADM or DBADM, can activate or deactivate row or column access control for a table.
![End general-use programming interface information.](../cmn/../art/gupi_cls.gif)
![End of change](KC_ROOT/images/ddita/deltaend.gif)