SECADM
The SECADM authority enables you to manage security-related objects in Db2 and control access to all database resources. It does not have any inherent privilege to access data stored in the objects, such as tables.
With
the SECADM authority, you can perform the following tasks:
- Create, alter, drop, and comment on row permissions
- Create, alter, drop, and comment on column masks
- Activate and deactivate row access control
- Activate and deactivate column access control
- Create, drop, and comment on roles
- Create, alter, drop, and comment on trusted contexts
- Create and comment on secure triggers and user-defined functions
- Alter the SECURED or NOT SECURED clause on triggers and user-defined functions
- Create audit policies by inserting rows into the SYSIBM.SYSAUDITPOLICIES catalog table
- Access and update the SYSIBM.SYSAUDITPOLICIES catalog table which records audit policy definitions
- Has implicit SELECT access on all catalog tables and implicit INSERT, DELETE, and UPDATE privileges on updatable catalog tables, when the SQL statements are issued dynamically
- Grant and revoke all grantable privileges and authorities
Issue the SQL statement TRANSFER OWNERSHIP
- Issue the TRACE command to start, stop, and display a trace
- Set the values of security parameters
If the SEPARATE_SECURITY system parameter is set to YES, no
other authority can grant the ACCESSCTRL, System DBADM, and DATAACCESS
authorities or the CREATE_SECURE_OBJECT privilege, not even SYSADM.
For example, only SECADM, not SYSADM or DBADM, can activate or deactivate
row or column access control for a table.