Database authorities
Each database authority allows the authorization ID holding it to perform some particular type of action on the database as a whole. Database authorities are different from privileges, which allow a certain action to be taken on a particular database object, such as a table or an index.
These are the database authorities.
- ACCESSCTRL
- Allows the holder to grant and revoke all object privileges and database authorities except for privileges on the audit routines, and ACCESSCTRL, DATAACCESS, DBADM, and SECADM authority.
- BINDADD
- Allows the holder to create new packages in the database.
- CONNECT
- Allows the holder to connect to the database.
- CREATETAB
- Allows the holder to create new tables in the database.
- CREATE_EXTERNAL_ROUTINE
- Allows the holder to create a procedure for use by applications and other users of the database.
- CREATE_NOT_FENCED_ROUTINE
- Allows the holder to create a user-defined function (UDF) or procedure
that is not fenced. CREATE_EXTERNAL_ROUTINE is automatically
granted to any user who is granted CREATE_NOT_FENCED_ROUTINE. Attention: The database manager does not protect its storage or control blocks from UDFs or procedures that are not fenced. A user with this authority must, therefore, be very careful to test their UDF extremely well before registering it as not fenced.
- DATAACCESS
- Allows the holder to access data stored in database tables.
- DBADM
- Allows the holder to act as the database administrator. In particular it gives the holder all of the other database authorities except for ACCESSCTRL, DATAACCESS, and SECADM.
- EXPLAIN
- Allows the holder to explain query plans without requiring them to hold the privileges to access data in the tables referenced by those query plans.
- IMPLICIT_SCHEMA
- Allows any user to create a schema implicitly by creating an object using a CREATE statement with a schema name that does not already exist. SYSIBM becomes the owner of the implicitly created schema and PUBLIC is given the privilege to create objects in this schema.
- LOAD
- Allows the holder to load data into a table
- QUIESCE_CONNECT
- Allows the holder to access the database while it is quiesced.
- SECADM
- Allows the holder to act as a security administrator for the database.
- SQLADM
- Allows the holder to monitor and tune SQL statements.
- WLMADM
- Allows the holder to act as a workload administrator. In particular, the holder of WLMADM authority can create and drop workload manager objects, grant and revoke workload manager privileges, and execute workload manager routines.
Only authorization IDs with the SECADM authority can grant the ACCESSCTRL, DATAACCESS, DBADM, and SECADM authorities. All other authorities can be granted by authorization IDs that hold ACCESSCTRL or SECADM authorities.
To remove any database authority from PUBLIC, an authorization ID with ACCESSCTRL or SECADM authority must explicitly revoke it.