Administrative authorities in Db2 for z/OS
Each administrative authority in Db2 for z/OS is vested with a specific set of privileges.
The following table lists the Db2 for z/OS administrative authorities and the grantable privileges that each of them has.
Authority | Included authorities | Additional grantable privileges |
---|---|---|
Installation SYSADM | SYSADM, SYSCTRL, Installation SYSOPR, SYSOPR, SECADM, ACCESSCTRL,System DBADM, DATAACCESS, DBADM, DBCTRL, DBMAINT, PACKADM | Privileges on security: GRANT REVOKE
|
SYSADM | SYSCTRL, Installation SYSOPR (except for accessing Db2 when the subsystem is started with ACCESS(MAINT), or issuing the ACTIVATE command or running the CATMAINT utility), SYSOPR, SECADM 1, 2, ACCESSCTRL, System DBADM, DATAACCESS, SQLADM, DBADM, DBCTRL, DBMAINT, PACKADM | Privileges on all plans: EXECUTE
Privileges on all routines:EXECUTE
Privileges on all packages:All privileges
Privileges on distinct types:USAGE
Privileges on sequences:USAGE
System privileges:DEBUGSESSION
EXPLAIN privilege |
SYSCTRL | Installation SYSOPR (except for accessing Db2 when the subsystem is started with ACCESS(MAINT), or issuing the ACTIVATE command or running the CATMAINT utility), SYSOPR, ACCESSCTRL (except the ability to grant certain authorities, such as SYSADM, DBADM, PACKADM, and certain privileges, such as DELETE, INSERT, SELECT, and UPDATE on user tables or views, EXECUTE on plans, packages, functions, or stored procedures, PACKADM on collections, and USAGE on distinct types, JARs, and sequences) DBCTRL, DBMAINT, | System privileges: BINDADD BINDAGENT BSDS
Privileges on all tables:CREATEALIAS CREATEDBA CREATEDBC CREATESG CREATETMTAB MONITOR1 MONITOR2 STOSPACE ALTER INDEX REFERENCES TRIGGER
Privileges on all catalog tables:SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):DELETE INSERT UPDATE
Privileges on all plans:BIND
Privileges on all packages:BIND COPY
Privileges on all collections:CREATEIN
Privileges on all schemas:ALTERIN CREATEIN DROPIN
Privileges on use:BUFFERPOOLS STOGROUP TABLESPACE
|
Installation SYSOPR | SYSOPR | System privileges: ARCHIVE BINDAGENT
Privileges on system-defined packages and routines:STARTDB (cannot alter access mode) EXECUTE
Privileges on all catalog tables:SELECT
Privileges on updatable catalog tables (except SYSAUDITPOLICIES):DELETE INSERT UPDATE
|
SYSOPR | None | Privileges: DISPLAY RECOVER STOPALL TRACE
Privileges on routines:DISPLAY START STOP
|
System DBADM | SQLADM |
System privileges:
BINDADD BINDAGENT CREATEALIAS
Privileges on all collections:CREATEDBA CREATEDBC CREATETMTAB DISPLAY EXPLAIN MONITOR1 MONITOR2 SQLADM STOPALL TRACE CREATEIN
Privileges on all user databases:CREATETAB CREATETS DISPLAYDB
Privileges on all user tables (except for those defined with row permissions or column masks):DROP IMAGCOPY RECOVERDB STARTDB STATS STOPDB ALTER INDEX REFERENCES TRIGGER
Privileges on all packages:BIND COPY
Privileges on all plans:BIND
Privileges on system-defined packages and routines:
EXECUTE
Privileges on all schemas:ALTERIN CREATEIN DROPIN
Privileges on all sequences:ALTER
Privileges on all distinct types:USAGE
Privileges on use:TABLESPACE
Privileges on all catalog tables:SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):DELETE INSERT UPDATE
|
SECADM | ACCESSCTRL | Privileges on all catalog tables: SELECT
Privileges on all updatable catalog tables:DELETE INSERT UPDATE
Privileges on security:GRANT REVOKE
Privileges on security-related objects:ALTER CREATE DROP
|
ACCESSCTRL | None | Privileges on all catalog tables: SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):DELETE INSERT UPDATE
Privileges on security:GRANT REVOKE
|
DATAACCESS | None | System privileges: DEBUGSESSION
Privileges on all user tables, views, and MQTs:DELETE INSERT SELECT UPDATE
Privileges on all plans, packages, and routines:EXECUTE
Privileges on all user databases:LOAD RECOVERDB REORG REPAIR
Privileges on all JARs:USAGE
Privileges on all sequences:USAGE
Privileges on all distinct types:USAGE
Privileges on all catalog tables:SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):DELETE INSERT UPDATE
|
SQLADM | None | System privileges: EXPLAIN MONITOR1 MONITOR2
Privileges on system-defined packages and routines:EXECUTE
Privileges on all catalog tables:SELECT
Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES):DELETE INSERT UPDATE
Privileges on all user databases:STATS
|
DBADM | DBCTRL, DBMAINT | Privileges on tables in a database: ALTER DELETE INDEX INSERT
Privileges on views:REFERENCES SELECT TRIGGER UPDATE DROP
|
DBCTRL | DBMAINT | Privileges on a database: DROP LOAD RECOVERDB
REORG REPAIR |
DBMAINT | None | Privileges on a database: CREATETAB CREATETS DISPLAYDB IMAGCOPY
STATS STARTDB STOPDB |
PACKADM | None | Privileges on a collection: CREATEIN
Privileges on all packages in a collection:BIND COPY EXECUTE
|
Note: