Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
authority is granted to an entire DB2 subsystem and allows the management of all objects in<br />
DB2 except security. DBADM authority can be granted for only one database and allows<br />
management of only the one database for which the privilege has been given.<br />
System DBADM authority can be granted with two additional authorities, such as WITH<br />
ACCESSCTRL and WITH DATAACCESS. Each of these optional authorities provides<br />
additional privileges for DBADM. For example, by specifying WITH ACCESSCTRL, the system<br />
DBADM administrator can run the LOAD, REORG, and UNLOAD utilities, and provide data access for<br />
all tables, views, and materialized query tables (MQTs) in the subsystem. With option<br />
DATAACCESS, the system DBADM administrator has access to all user tables, views, and<br />
MQTs. Also, this type of authority can run all plans, packages, functions, and procedures.<br />
8.1.3 Minimum privileges<br />
DB2 10 introduces minimum privileges that an administrator can use to grant users only the<br />
privilege that is required to perform specific tasks. Table 8-1 describes these authorities with<br />
their specific tasks.<br />
Table 8-1 Minimum privileges<br />
Minimum<br />
privilege<br />
Description of privileges<br />
ACCESSCTRL ► Controls access to user data<br />
► Reads and updates all catalog tables that can be updated, except<br />
SYS<strong>IBM</strong>.SYSAUDITPOLICIES<br />
► Allows SECADM authority to delegate authority for GRANT and REVOKE<br />
operations for DB2 objects<br />
EXPLAIN ► Does not allow access to user data<br />
► Allows query tuning activities, such as SQL EXPLAIN PLAN/ALL and<br />
DESCRIBE TABLE<br />
SQLADM ► Allows for greater separation of duties (SAPCL alert router now can be run<br />
using SQLADM instead of using the SYSADM privilege)<br />
► Does not allow access to user data<br />
► Is unable to run SQL Data Definition Language (DDL) statements, such as<br />
CREATE, ALTER, and DROP<br />
► Supports privileges that are a superset of the EXPLAIN privileges<br />
► Runs RUNSTATS and MODIFY STATISTICS utilities for any databases<br />
► Issues DB2 commands such as START, STOP, DISPLAY PROFILE<br />
► Runs system-defined routines (stored procedures and functions) and any<br />
packages run within this routine<br />
► Allows query tuning activities (such as SQL EXPLAIN STMTCACHE ALL,<br />
STMTID, or STMTTIKEN, and START, STOP, or DISPLAY PROFILE), catalog<br />
queries, and RUNSTATSDATAACCESS<br />
A minimum privilege of each system authority can give users specific authority for performing<br />
specific tasks. For example, system SQLADM authority can be assigned to SAP performance<br />
analysts who are responsible for analyzing query performance in the DB2 subsystem. The<br />
EXPLAIN authority is helpful for SAP application programmers who need to explain SQL<br />
statements and collect metadata information about statements. Both the SQLADM and<br />
EXPLAIN authorities can provide enough authority for tuning SQL statements.<br />
ACCESSCTRL authority can be granted to database administrators who need to control<br />
access to DB2 subsystems.<br />
116 Running SAP Solutions with <strong>IBM</strong> DB2 10 for z/OS on the <strong>IBM</strong> zEnterprise System