SYSCTRL
The SYSCTRL authority is designed for administering a system that contains sensitive data. With the SYSCTRL authority, you have nearly complete control of the DB2® subsystem. However, you cannot access user data directly unless you are explicitly granted the privileges to do so.
Regardless of the SEPARATE_SECURITY
setting, an authorization ID or role with the SYSCTRL authority can
perform the following actions:
- Act as installation SYSOPR (when the catalog is available) or DBCTRL over any database
- Run any allowable utility on any database
- Issue a COMMENT ON, LABEL ON, or LOCK TABLE statement for any table
- Create a view on any catalog table for itself or for other IDs
- Create tables and aliases for itself or for others IDs
- Bind a new plan or package and name any ID as the owner of the plan or package
- Create roles (only if SEPARATE_SECURITY
is set to NO)
- Use any valid value for OWNER in
BIND or REBIND (only if SEPARATE_SECURITY is set to NO)
- Has implicit ACCESSCTRL authority
to grant most privileges (only if SEPARATE_SECURITY is set to NO)
However, you cannot perform the following actions without the required additional privileges:
- Execute SQL statements that change data in any user tables or views
- Run plans or packages
- Set the current SQL ID to a value that is not one of its primary or secondary IDs
- Start or stop the database that contains the application registration table (ART) and the object registration table (ORT)
- Act fully as SYSADM or as DBADM over any database
- Access DB2 when the subsystem is started with ACCESS(MAINT)
The SYSCTRL authority is intended to separate system control functions from administrative functions. However, SYSCTRL is not a complete solution for a high-security system. If any plans have their EXECUTE privilege granted to PUBLIC, an ID or role with the SYSCTRL authority can grant itself the SYSADM authority. The only control over such actions is to audit the activity of IDs with high levels of authority.
