Blog
DB2utor

Categories

January 31, 2012

Fix Removes Implicit DBADM Privileges

Given the concerns over security compliance, IBM has steadily removed implicit authorities over the past few years. This direction of course extends to implicit authorities given to DBAs.

With that in mind, note the release of IBM APAR PM26977.

Database administration authority (DBADM) currently has these implicit privileges:

  • System privilege STOPALL.
  • USE privilege on system resources BUFFERPOOL and STOGROUP.
  • System commands: STOP DB2, START/STOP/MODIFY DDF, START/STOP RLIMIT,CANCEL THREAD/DDF THREAD and RESET GENERICLU.

APAR PM26977 removes these implicit system privileges from DBADM. Once the fix is applied to DB2 10, these grant commands must be explicitly issued (e.g., allowing a DBA with DBADM authority to STOP DB2).