System DBADM

The system DBADM authority allows an administrator, an authorization ID or a role, to manage databases across a Db2 subsystem, while having no access to the data in the databases. In other words, the system DBADM authority enables you to create, alter, and drop Db2 objects and issue commands for a Db2 subsystem, but does not give you the authority to access the data or the ability to grant or revoke privileges.

Begin general-use programming interface information.With the system DBADM authority, you can issue SQL statements to perform the following tasks:

  • Create and drop aliases, auxiliary tables, and distinct types
  • Create, alter, and drop databases, tables, global temporary tables, table spaces, and sequences
  • Create triggers, functions, indexes, procedures, and views with additional required privileges
  • Comment on all but security-related objects (i.e., roles, trusted contexts)
  • Issue other SQL statements, such as the EXPLAIN, LABEL, PREPARE, and RENAME statements

You can also issue Db2 commands to perform the following tasks:

  • Display status, configuration, and resource information
  • Start and stop procedures and profiles
  • Start, stop, and access databases
  • Start, stop, and modify traces
  • Bind, rebind, and free packages and plans
  • Set the OWNER in BIND or REBIND to any ID (if SEPARATE_SECURITY is set to NO)
  • Alter and terminate the execution of Db2 utility job steps
  • Recover threads that are left in an indoubt state or complete backout processing for units of recovery that are left incomplete during an earlier restart

With the system DBADM authority, you can also run certain Db2 utilities. The utilities include CHECK INDEX, CHECK LOB, COPY, COPYTOCOPY, DIAGNOSE, MODIFY RECOVERY, MODIFY STATISTICS, QUIESCE, REBUILD INDEX, RECOVER, REPORT, and RUNSTATS. In addition, you have implicit SELECT access on all catalog tables and implicit INSERT, DELETE, and UPDATE privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES).

The system DBADM authority allows you to execute system-defined routines (recorded in the SYSIBM.SYSROUTINES catalog table), including stored procedures or functions, and any packages executed within the routines. It also allows you to drop non-security objects without requiring the ownership or other privileges to drop.

Only an authorization ID or a role with the SECADM authority can grant or revoke the system DBADM authority. By default, the system DBADM has all the privileges of the DATAACCESS and ACCESSCTRL authorities. If you do not want a user (an authorization ID or role) with the system DBADM authority to grant any explicit privileges, you can specify the WITHOUT ACCESSCTRL clause in the GRANT statement when you grant the authority. If you do not want a user with the system DBADM authority to access any user data in the databases, you can specify the WITHOUT DATAACCESS clause in the GRANT statement when you grant the authority. If necessary, you can still grant explicit privileges (i.e., SELECT) to the system DBADM user to access data or perform grants.End general-use programming interface information.