Security administration authority (SECADM)

SECADM authority is the security administration authority for a specific database. This authority allows you to create and manage security-related database objects and to grant and revoke all database authorities and privileges. Additionally, the security administrator can execute, and manage who else can execute, the audit system routines.

Note: In Db2 11.1.4.7 and later, the SYSADM authority is needed to grant the CREATE_EXTERNAL_ROUTINE database authority. If the DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable is set and contains the value EXTERNAL_ROUTINE_DBAUTH, then SYSADM, SECADM, or ACCESSCTRL authority is needed. The SYSADM authority is also needed to grant the CREATE_NOT_FENCED_ROUTINE database authority. If the DB2_ALTERNATE_AUTHZ_BEHAVIOUR registry variable is set and contains the value NOT_FENCED_ROUTINE_DBAUTH, then SYSADM, SECADM, or ACCESSCTRL authority is needed.

SECADM authority has the ability to SELECT from the catalog tables and catalog views, but cannot access data stored in user tables.

SECADM authority can be granted only by the security administrator (who holds SECADM authority) and can be granted to a user, a group, or a role. PUBLIC cannot obtain the SECADM authority directly or indirectly.

The database must have at least one authorization ID of type USER with the SECADM authority. The SECADM authority cannot be revoked from every authorization ID of type USER.

SECADM authority gives a user the ability to perform the following operations:
  • Create, alter, comment on, and drop:
    • Audit policies
    • Security label components
    • Security policies
    • Trusted contexts
  • Create, comment on, and drop:
    • Roles
    • Security labels
  • Grant and revoke database privileges and authorities
  • Execute the following audit routines to perform the specified tasks:
    • The SYSPROC.AUDIT_ARCHIVE stored procedure and table function archive audit logs.
    • The SYSPROC.AUDIT_LIST_LOGS table function allows you to locate logs of interest.
    • The SYSPROC.AUDIT_DELIM_EXTRACT stored procedure extracts data into delimited files for analysis.

    Also, the security administrator can grant and revoke EXECUTE privilege on these routines, therefore enabling the security administrator to delegate these tasks, if required. Only the security administrator can grant EXECUTE privilege on these routines. EXECUTE privilege WITH GRANT OPTION cannot be granted for these routines (SQLSTATE 42501).

  • Change the settings of the encrlib and encropts database configuration parameters.
  • Execute the following security routines to perform the specified tasks:
    • The SYSPROC.ADMIN_ROTATE_MASTER_KEY stored procedure to rotate the master key for an encrypted database.
    • The SYSPROC.ADMIN_GET_ENCRYPTION_INFO table function to return the encryption information about the database.
  • Use of the AUDIT statement to associate an audit policy with a particular database or database object at the server
  • Use of the TRANSFER OWNERSHIP statement to transfer objects not owned by the authorization ID of the statement
No other authority gives these abilities.

Only the security administrator has the ability to grant other users, groups, or roles the ACCESSCTRL, DATAACCESS, DBADM, and SECADM authorities.

In Version 9.7, the Db2® authorization model has been updated to clearly separate the duties of the system administrator, the database administrator, and the security administrator. As part of this enhancement, the abilities given by the SECADM authority have been extended. In releases before Version 9.7, SECADM authority did not provide the ability to grant and revoke all privileges and authorities. Also, SECADM authority could be granted only to a user, not to a role or a group. Additionally, SECADM authority did not provide the ability to grant EXECUTE privilege to other users on the audit built-in procedures and table function.