Explicit system privileges
You can explicitly grant privileges on systems.
Db2 supports the following system privileges:
System privilege | Operations allowed on the system |
---|---|
ARCHIVE | The ARCHIVE LOG command, to archive the current active log, the DISPLAY ARCHIVE command, to give information about input archive logs, the SET LOG command, to modify the checkpoint frequency specified during installation, and the SET ARCHIVE command, to control allocation and deallocation of tape units for archive processing. |
BINDADD | The BIND subcommand with the ADD option, to create new plans and packages |
BINDAGENT | The BIND, REBIND, and FREE subcommands, and the DROP PACKAGE statement, to bind, rebind, or free a plan or package, or copy a package, on behalf of the grantor. The BINDAGENT privilege is intended for separation of function, not for added security. A bind agent with the EXECUTE privilege might be able to gain all the authority of the grantor of BINDAGENT. |
BSDS | The RECOVER BSDS command, to recover the bootstrap data set |
CREATEALIAS | The CREATE ALIAS statement, to create an alias for a table or view name |
CREATEDBA | The CREATE DATABASE statement, to create a database and have DBADM authority over it |
CREATEDBC | The CREATE DATABASE statement, to create a database and have DBCTRL authority over it |
CREATESG | The CREATE STOGROUP statement, to create a storage group |
CREATE_SECURE_OBJECT | The CREATE and ALTER statements, to create secure objects, such as a secure trigger or a user-defined function. If a trigger is defined for tables that are enforced with row or column access control, it must be secure. If a user-defined function is referenced in the definition of a row permission or column mask, it must be secure. In addition, if a user-defined function is invoked in a query and its arguments reference columns with column masks, the user-defined function must be secure. |
CREATETMTAB | The CREATE GLOBAL TEMPORARY TABLE statement, to define a created temporary table |
DEBUGSESSION | The DEBUGINFO connection attribute, to control debug session activity for SQL stored procedures, non-inline SQL functions, and Java™ stored procedures |
DISPLAY | The DISPLAY ARCHIVE, DISPLAY BUFFERPOOL, DISPLAY DATABASE, DISPLAY LOCATION, DISPLAY LOG, DISPLAY THREAD, and DISPLAY TRACE commands, to display system information |
EXPLAIN |
An authorization ID or role with any of the following authority or privilege can grant the EXPLAIN privilege:
|
MONITOR1 | Receive trace data that is not potentially sensitive |
MONITOR2 | Receive all trace data |
RECOVER | The RECOVER INDOUBT command, to recover threads |
STOPALL | The STOP DB2 command, to stop Db2 |
STOSPACE | The STOSPACE utility, to obtain data about space usage |
TRACE | The START TRACE, STOP TRACE, and MODIFY TRACE commands, to control tracing |