On Windows operating systems, if Extended Security is enabled, you can restrict privileges of the db2fmp process to the privileges assigned to the DB2USERS group.
Restrictions
On version 10.1 FP3 and earlier fix packs, the option to restrict privileges is not available if LocalSystem is selected as the service account.
db2set DB2_LIMIT_FENCED_GROUP = ON
SC sidtype DB2-service-name unrestricted
where DB2-service-name is
the DB2 service name. By default
the DB2 service name is set
to DB2 or, in a DB2 partitioned
database environment the default is set to DB2-0. SC sidtype DB2 unrestricted
In additional to the privilege of DB2USERS group, the db2fmp process has the operating system privilege of the chosen user group chosen.