SEPARATE SECURITY field (SEPARATE_SECURITY subsystem parameter)

The SEPARATE_SECURITY subsystem parameter specifies whether Db2 security administrator duties are to be separated from system administrator duties for this subsystem.

Acceptable values: NO, YES
Default: NO
Update: option 39 on panel DSNTIPB
DSNZPxxx: DSN6SPRM SEPARATE_SECURITY
Security parameter: Yes
NO

Overlaps many existing Db2 security administrator duties and system administrator duties. If you are migrating and want SYSADM and SYSCTRL authorities to remain unchanged, use this setting.

When SEPARATE_SECURITY is set to NO, users with SYSADM authority can manage most security objects, perform grants, and revoke privileges that are granted by others, and users with SYSCTRL authority can manage roles, perform most grants, and revoke privileges that are granted by others.

Start of changeHowever, the following newer security capabilities always require explicit SECADM authority, even if SEPARATE_SECURITY is set to NO:End of change

YES
Separates Db2 security administrator duties from system administrator duties. Users with SYSADM authority cannot manage security objects (such as roles and trusted contexts), perform grants, or revoke privileges granted by others. Users with SYSCTRL authority cannot manage roles, perform grants, or revoke privileges granted by others. However, existing grants made by users with SYSADM or SYSCTRL authority are unchanged. SECADM or ACCESSCTRL authority is required for security administration. Start of changeThe SEPARATE_SECURITY subsystem parameter does not apply to or affect users with installation SYSADM authority.End of change

Before setting SEPARATE SECURITY to YES, set at least one SECADM subsystem parameter to an authorization ID, or create the necessary trusted contexts and roles. If you specify YES, system administrator authority can no longer be used to perform security tasks, and the SECADM authority is required to manage security objects such as trusted contexts and roles. If both SECADM system parameters are set to roles and those roles have not been created, no one will have the authority to manage security objects.

Note: This is a security-related parameter.