Question & Answer
Question
How to grant SECADM to a userid if a LocalSystem account (Windows) currently holds DB2 SECADM authority?
Cause
In DB2 V9.7, Security administrator (SECADM) abilities have been extended. Only SECADM authority provides the ability to grant and revoke all authorities and privileges to other users.
Answer
For Windows XP/2003:
- Start a command prompt (cmd.exe) window as LocalSystem by issuing 'at' command with a future time (say 1 min later)
For example: C:\Documents and Settings\ at 16:35 /interactive cmd.exe
Assuming current time as 16:34 - In a new cmd.exe window, issue db2cmd
Launches DB2 Command Window - Connect to DB2 database: db2 connect to <dbanme>
It shows the auth id as SYSTEM (alternatively you can run whoami to verify) - Grant SECADM to a specific user:
db2 GRANT SECADM on <dbname> to USER <user>
On Windows Kernel 6 or greater OS (Windows 7/2008 or similar), the interactive mode command fails with an error similar to this >at 16:38 /interactive cmd.exe
Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).
Added a new job with job ID = 1
In order to workaround this issue on Windows Kernel 6 or greater (includes Windows 7/2008/2008 R2 or similar), please follow the below procedure:
- Download and install Windows utility called psexec.exe:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx - Open cmd.exe
- Navigate to the location of psexec and ran the below command:
PSEXEC -i -s -d db2cmd.exe
You are now logged in as SYSTEM - Navigate to the location of db2cmd.exe.
- Connect to DB2 database:
db2 connect to dbname - Grant SECADM to a specific user:
db2 GRANT SECADM on <dbname> to USER <user>
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21633475