Explicit system privileges

You can explicitly grant privileges on systems.

Begin general-use programming interface information.

Db2 supports the following system privileges:

Table 1. Explicit system privileges
System privilege Operations allowed on the system
ARCHIVE The ARCHIVE LOG command, to archive the current active log, the DISPLAY ARCHIVE command, to give information about input archive logs, the SET LOG command, to modify the checkpoint frequency specified during installation, and the SET ARCHIVE command, to control allocation and deallocation of tape units for archive processing.
BINDADD The BIND subcommand with the ADD option, to create new plans and packages
BINDAGENT The BIND, REBIND, and FREE subcommands, and the DROP PACKAGE statement, to bind, rebind, or free a plan or package, or copy a package, on behalf of the grantor. The BINDAGENT privilege is intended for separation of function, not for added security. A bind agent with the EXECUTE privilege might be able to gain all the authority of the grantor of BINDAGENT.
BSDS The RECOVER BSDS command, to recover the bootstrap data set
CREATEALIAS The CREATE ALIAS statement, to create an alias for a table or view name
CREATEDBA The CREATE DATABASE statement, to create a database and have DBADM authority over it
CREATEDBC The CREATE DATABASE statement, to create a database and have DBCTRL authority over it
CREATESG The CREATE STOGROUP statement, to create a storage group
CREATE_SECURE_OBJECT The CREATE and ALTER statements, to create secure objects, such as a secure trigger or a user-defined function. If a trigger is defined for tables that are enforced with row or column access control, it must be secure. If a user-defined function is referenced in the definition of a row permission or column mask, it must be secure. In addition, if a user-defined function is invoked in a query and its arguments reference columns with column masks, the user-defined function must be secure.
CREATETMTAB The CREATE GLOBAL TEMPORARY TABLE statement, to define a created temporary table
DEBUGSESSION The DEBUGINFO connection attribute, to control debug session activity for SQL stored procedures, non-inline SQL functions, and Java™ stored procedures
DISPLAY The DISPLAY ARCHIVE, DISPLAY BUFFERPOOL, DISPLAY DATABASE, DISPLAY LOCATION, DISPLAY LOG, DISPLAY THREAD, and DISPLAY TRACE commands, to display system information
EXPLAIN
  • The SQL EXPLAIN PLAN and EXPLAIN ALL statements, to issue the statements without requiring additional privileges
  • The SQL PREPARE and DESCRIBE TABLE statements, to prepare and describe the statements without requiring additional privileges on the object
  • The BIND command, to allow users to specify the EXPLAIN(ONLY) and SQLERROR(CHECK) options without creating a plan or package
  • Dynamic SQL statements that have the special register CURRENT EXPLAIN MODE set to EXPLAIN, to allow the capture of information about the statements, without executing them

An authorization ID or role with any of the following authority or privilege can grant the EXPLAIN privilege:

  • The SECADM authority
  • The ACCESSCTRL authority
  • The SYSADM authority if the SEPARATE SECURITY system parameter is set to NO at the installation
  • The EXPLAIN privilege with the WITH GRANT OPTION.
MONITOR1 Receive trace data that is not potentially sensitive
MONITOR2 Receive all trace data
RECOVER The RECOVER INDOUBT command, to recover threads
STOPALL The STOP DB2 command, to stop Db2
STOSPACE The STOSPACE utility, to obtain data about space usage
TRACE The START TRACE, STOP TRACE, and MODIFY TRACE commands, to control tracing
End general-use programming interface information.