DB2 10.5 for Linux, UNIX, and Windows
DB2 10.5 for Linux, UNIX, and Windows
If you have system administrator (SYSADMIN) authority, you are able to perform maintenance operations such as database and table space creation, database configuration updates, and database recovery.
By default, system administrative (SYSADM) authority is granted to any valid DB2® user account that belongs to the Administrators group on the computer where the account is defined. If the account is a local account, then it must belong to the local Administrators group. If the account is a domain account, then it must belong to the Administrators group at the domain controller or the local Administrators group. You can force the DB2 database server to always perform group lookup on the local computer by setting the registry variable DB2_GRP_LOOKUP=local and adding the domain accounts (or global groups) to the local group.
For example, if a user logs on to a domain account and tries to access a DB2 database, the DB2 database server goes to a domain controller to enumerate groups (including the Administrators group).
For a domain user to have SYSADM authority, they must belong to the local Administrators group or the Administrators group at the domain controller. Since the DB2 database server always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to this group, unless DB2_GRP_LOOKUP=local is set.
To avoid adding a domain user to the Administrators group at the domain controller, create a global group and add the domain users to which you want to grant SYSADM authority to it. Then update the DB2 configuration parameter SYSADM_GROUP with the name of the global group.
db2 update dbm cfg using sysadm_group global_group
db2stop
db2start