Each database authority allows the authorization ID holding
it to perform some particular type of action on the database as a
whole. Database authorities are different from privileges, which allow
a certain action to be taken on a particular database object, such
as a table or an index.
These are the database authorities.
- ACCESSCTRL
- Allows the holder to grant and revoke all object privileges and
database authorities except for privileges on the audit routines,
and ACCESSCTRL, DATAACCESS, DBADM, and SECADM authority.
- BINDADD
- Allows the holder to create new packages in the database.
- CONNECT
- Allows the holder to connect to the database.
- CREATETAB
- Allows the holder to create new tables in the database.
- CREATE_EXTERNAL_ROUTINE
- Allows the holder to create a procedure for use by applications
and other users of the database.
- CREATE_NOT_FENCED_ROUTINE
- Allows the holder to create a user-defined function (UDF) or procedure
that is not fenced. CREATE_EXTERNAL_ROUTINE is automatically
granted to any user who is granted CREATE_NOT_FENCED_ROUTINE.
Attention: The database manager does not protect
its storage or control blocks from UDFs or procedures that are not
fenced. A user with this authority must, therefore, be very careful
to test their UDF extremely well before registering it as not fenced.
- DATAACCESS
- Allows the holder to access data stored in database
tables.
- DBADM
- Allows the holder to act as the database administrator.
In particular it gives the holder all of the other database authorities
except for ACCESSCTRL, DATAACCESS, and SECADM.
- EXPLAIN
- Allows the holder to explain query
plans without requiring them to hold the privileges to access data
in the tables referenced by those query plans.
- IMPLICIT_SCHEMA
- Allows any user to create a schema implicitly by creating an object
using a CREATE statement with a schema name that does not already
exist. SYSIBM becomes the owner of the implicitly created schema and
PUBLIC is given the privilege to create objects in this schema.
- LOAD
- Allows the holder to load data into a table
- QUIESCE_CONNECT
- Allows the holder to access the database while it is quiesced.
- SECADM
- Allows the holder to act as a security administrator
for the database.
- SQLADM
- Allows the holder to monitor and tune SQL statements.
- WLMADM
- Allows the holder to act as a workload administrator. In particular,
the holder of WLMADM authority can create and drop workload manager
objects, grant and revoke workload manager privileges, and execute
workload manager routines.
Only authorization IDs with the SECADM authority
can grant the ACCESSCTRL, DATAACCESS, DBADM, and SECADM authorities.
All other authorities can be granted by authorization IDs that hold
ACCESSCTRL or SECADM authorities.
To remove any database authority from PUBLIC,
an authorization ID with ACCESSCTRL or SECADM authority must explicitly
revoke it.