Separating the SYSADM authority

Granularity and flexibility in Db2 administrative authority allows you to separate security administration, database administration, and data access control from system administration. Separating the SYSADM authority (a combination of security and system administration) can help you simplify your system administration and strengthen the security administration of your business data.

To separate the SYSADM authority, choose the system and security administration model that best meets the security needs of your business:

• Maintain the existing system administration model in which the SYSADM authority continues to be able to perform security administration

  You must first set the SEPARATE_SECURITY subsystem parameter to NO (which is the default value) during installation or migration. As shown below, this setting allows the system administrator to continue to be the security administrator and the SYSADM authority to get implicit privileges of the SECADM authority.

  

  When SEPARATE_SECURITY is set to NO, users with SYSADM authority can manage most security objects, perform grants, and revoke privileges that are granted by others, and users with SYSCTRL authority can manage roles, perform most grants, and revoke privileges that are granted by others.

  However, the following newer security capabilities always require explicit SECADM authority, even if SEPARATE_SECURITY is set to NO:

  • TRANSFER OWNERSHIP statements
  • Stopping secure audit policies
• Separate security administration from system administration (SYSADM)

  You must first set the SEPARATE_SECURITY system parameter on panel DSNTIPP1 to YES during installation or migration. As shown below, this setting separates the security administration from the SYSADM authority. A system administrator can no longer manage access control, audit policies, or security-related objects, including roles and trusted contexts. The SYSCTRL authority can no longer manage roles. Neither the SYSADM authority nor the SYSCTRL authority can grant or revoke privileges that are granted by others.

  

  In addition to setting the SEPARATE_SECURITY system parameter, you also need to set one of the system SECADM parameters to an authorization ID or a role during installation that will perform security administration. To ensure complete separation of system and security administration, do not set the SECADM system parameter to a SYSADM ID. Instead, set SECADM to a SECADM ID and installation SYSADM to an installation SYSADM ID.

• Separate system database administration with the data access authority and the access control authority from system and security administration.

  Db2 provides both the system DBADM authority and the DBADM authority, with each having a different set of privileges. The system DBADM authority allows you to manage objects in all databases across a Db2 subsystem, but doesn't give you access to the data in the databases. In addition, with the system DBADM authority, you can perform administrative tasks and issue commands for a Db2 subsystem, but you don't have the authority to execute objects or the ability to grant or revoke privileges.

  Unlike the system DBADM authority, the DBADM authority allows you to manage objects in a specific database and gives you access to the data in that database. You also get the privileges of the DBCTRL and DBMAINT authorities over the same database.

  If you want the system database administrators to have access to data and the ability to grant and revoke privileges, you can grant them the system DBADM, DATAACCESS, and ACCESSCTRL authorities, as shown below. By default, the DATAACCESS and ACCESSCTRL authorities are granted when the system DBADM authority is granted.

  

  If you want the system database administrators to have access to data, but not the ability to grant or revoke privileges, you can grant them the system DBADM and DATAACCESS authorities, but not the ACCESSCTRL authority, as shown below. You can also grant system database administrators the SYSOPR authority and the privileges to perform ARCHIVE, BSDS, CREATESG, STOSPACE, or other system-related tasks.

  
• Separate system database administration from the data access authority, the access control authority, security administration, and system administration.
  

  If you want the system database administrators to manage database objects, but have no access to data or the ability to grant and revoke privileges, you can grant them the system DBADM authority, but not the SYSADM, DATAACCESS, or ACCESSCTRL authority.