Administrative authorities

Within DB2®, privileges are grouped into administrative authorities, and each administrative authority is vested with a specific set of privileges.

Begin general-use programming interface information.

Start of change The following table lists all of the DB2 for z/OS® administrative authorities and the grantable privileges that each of them has. End of change

Table 1. Administrative authorities and grantable privileges
Authority	Included authorities	Additional grantable privileges
ACCESSCTRL	None	Privileges on all catalog tables: `SELECT` Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): `DELETE INSERT UPDATE` Privileges on security: `GRANT REVOKE`
DATAACCESS	None	System privileges: `DEBUGSESSION` Privileges on all user tables, views, and MQTs: `DELETE INSERT SELECT UPDATE` Privileges on all plans, packages, and routines: `EXECUTE` Privileges on all user databases: `LOAD RECOVERDB REORG REPAIR` Privileges on all JARs: `USAGE` Privileges on all sequences: `USAGE` Privileges on all distinct types: `USAGE` Privileges on all catalog tables: `SELECT` Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): `DELETE INSERT UPDATE`
DBADM	DBCTRL, DBMAINT	Privileges on tables in a database: `ALTER DELETE INDEX INSERT REFERENCES SELECT TRIGGER UPDATE`
DBCTRL	DBMAINT	Privileges on a database: `DROP LOAD RECOVERDB REORG REPAIR`
DBMAINT	None	Privileges on a database: `CREATETAB CREATETS DISPLAYDB IMAGCOPY STATS STARTDB STOPDB`
Installation SYSADM	SYSADM, SYSCTRL, DBADM, Installation SYSOPR, SYSOPR, PACKADM, DBCTRL, DBMAINT, SECADM, System DBADM, SQLADM, ACCESSCTRL, DATAACCESS	Privileges on security: `GRANT REVOKE`
Installation SYSOPR	SYSOPR	System privileges: `ARCHIVE STARTDB(cannot alter access mode)`
PACKADM	None	Privileges on a collection: `CREATEIN` Privileges on all packages in a collection: `BIND COPY EXECUTE`
SECADM	ACCESSCTRL	Privileges on all catalog tables: `SELECT` Privileges on all updatable catalog tables: `DELETE INSERT UPDATE` Privileges on security: `GRANT REVOKE` Privileges on security-related objects: `ALTER CREATE DROP`
SQLADM	None	System privileges: `EXPLAIN MONITOR1 MONITOR2` Privileges on system-defined packages and routines: `EXECUTE` Privileges on all catalog tables: `SELECT` Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): `DELETE INSERT UPDATE`
SYSADM	SYSCTRL, DBADM, Installation SYSOPR (except accessing DB2 when the subsystem is started with ACCESS(MAINT)), SYSOPR, PACKADM, DBCTRL, DBMAINT, SECADM, System DBADM, SQLADM, ACCESSCTRL, DATAACCESS	Privileges on all plans: `EXECUTE` Privileges on all routines: `EXECUTE` Privileges on all packages: `All privileges` Privileges on distinct types: `USAGE` Privileges on sequences: `USAGE` System privileges: `DEBUGSESSION` EXPLAIN privilege
SYSCTRL	Installation SYSOPR (except accessing DB2 when the subsystem is started with ACCESS(MAINT)), SYSOPR, DBCTRL, DBMAINT, ACCESSCTRL (except the ability to grant certain authorities, such as DBADM, SYSADM, PACKADM, and certain privileges, such as DELETE, INSERT, SELECT, and UPDATE on user tables or views, EXECUTE on plans, packages, functions, or stored procedures, PACKADM on collections, and USAGE on distinct types, JARs, and sequences)	System privileges: `BINDADD BINDAGENT BSDS CREATEALIAS CREATEDBA CREATEDBC CREATESG CREATETMTAB MONITOR1 MONITOR2 STOSPACE` Privileges on all tables: `ALTER INDEX REFERENCES TRIGGER` Privileges on all catalog tables: `SELECT` Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): `DELETE INSERT UPDATE` Privileges on all plans: `BIND` Privileges on all packages: `BIND COPY` Privileges on all collections: `CREATEIN` Privileges on all schemas: `ALTERIN CREATEIN DROPIN` Privileges on use: `BUFFERPOOLS STOGROUP TABLESPACE`
SYSOPR	None	Privileges: `DISPLAY RECOVER STOPALL TRACE` Privileges on routines: `DISPLAY START STOP`
System DBADM	SQLADM	System privileges: `BINDADD BINDAGENT CREATEALIAS CREATEDBA CREATEDBC CREATETMTAB DISPLAY EXPLAIN MONITOR1 MONITOR2 SQLADM STOPALL TRACE` Privileges on all collections: `CREATEIN` Privileges on all user databases: `CREATETAB CREATETS DISPLAYDB DROP IMAGCOPY RECOVERDB STARTDB STOPDB` Privileges on all user tables (except for those defined with row permissions or column masks): `ALTER INDEX REFERENCES TRIGGER` Privileges on all packages: `BIND COPY` Privileges on all plans: `BIND` Privileges on system-defined packages and routines: `EXECUTE` Privileges on all schemas: `ALTERIN CREATEIN DROPIN` Privileges on all sequences: `ALTER` Privileges on all distinct types: `USAGE` Privileges on use: `TABLESPACE` Privileges on all catalog tables: `SELECT` Privileges on updatable catalog tables (except SYSIBM.SYSAUDITPOLICIES): `DELETE INSERT UPDATE`

End general-use programming interface information.

Installation SYSADM
Installation SYSADM authority is assigned to one or two IDs when DB2 is installed; it cannot be assigned to a role. These IDs have all the privileges of the SYSADM authority.
SYSADM
The SYSADM authority includes all the privileges, including system privileges, for creating objects and accessing all data. Depending on the setting of the SEPARATE_SECURITY system parameter, the SYSADM authority can also create security objects and grant and revoke privileges.
SYSCTRL
The SYSCTRL authority is designed for administering a system that contains sensitive data. With the SYSCTRL authority, you have nearly complete control of the DB2 subsystem. However, you cannot access user data directly unless you are explicitly granted the privileges to do so.
Installation SYSOPR
Installation SYSOPR authority is assigned to one or two IDs when DB2 is installed; it cannot be assigned to a role. These IDs have all the privileges of the SYSOPR authority.
SYSOPR
A user with the SYSOPR authority can issue all DB2 commands except ARCHIVE LOG, START DATABASE, STOP DATABASE, and RECOVER BSDS.
DBADM
The DBADM authority includes the DBCTRL privileges over a specific database. A user with the DBADM authority can access any tables in a specific database by using SQL statements.
DBCTRL
The DBCTRL authority includes the DBMAINT privileges on a specific database. A user with the DBCTRL authority can run utilities that can change the data.
DBMAINT
A user with the DBMAINT authority can grant the privileges on a specific database to an ID.
PACKADM
The PACKADM authority has the package privileges on all packages in specific collections and the CREATE IN privilege on these collections.
System DBADM
The system DBADM authority allows an administrator, an authorization ID or a role, to manage databases across a DB2 subsystem, while having no access to the data in the databases. In other words, the system DBADM authority enables you to create, alter, and drop DB2 objects and issue commands for a DB2 subsystem, but does not give you the authority to access the data or the ability to grant or revoke privileges.
SECADM
The SECADM authority enables you to manage security-related objects in DB2 and control access to all database resources. It does not have any inherent privilege to access data stored in the objects, such as tables.
ACCESSCTRL
The ACCESSCTRL authority allows you to grant explicit privileges to authorization IDs or roles by issuing SQL GRANT statements. It enables you to grant privileges on all objects and resources, except the CREATE_SECURE_OBJECT privilege and the system DBADM, DATAACCESS, and ACCESSCTRL authorities.
DATAACCESS
The DATAACCESS authority allows you to access and update data in user tables, views, and materialized query tables in a DB2 subsystem. It also allows you to execute plans, packages, functions, and procedures.
SQLADM
The SQLADM authority allows you to issue the SQL EXPLAIN statements, execute the PROFILE commands, run the RUNSTATS and MODIFY STATISTICS utilities on all user databases, and execute system-defined routines, such as stored procedures or functions, and any packages that are executed within the routines.

Parent topic: Privileges and authorities

Related concepts:

Explicit privileges

Privileges by authorization ID and authority

Related tasks:

Auditing the use of an administrative authority End of change

Related reference:

Implicit privileges through object ownership

Utility authorities for DB2 catalog and directory