Because the system catalog views describe every object in the database, if you have sensitive data, you might want to restrict their access.
SELECT DISTINCT OBJECTSCHEMA FROM SYSIBMADM.PRIVILEGES WHERE AUTHID='PUBLIC'
OBJECTSCHEMA
------------
SYSFUN
SYSIBM
SYSPROC
If the database is not created with the RESTRICTIVE option and you revoke the SELECT privilege from PUBLIC for any catalog view, the select privilege is granted back to PUBLIC during an upgrade.
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTSCHEMA = 'SYSIBM'
AUTHID AUTHIDTYPE PRIVILEGE GRANTABLE OBJECTNAME OBJECTSCHEMA OBJECTTYPE
---------... ---------- ---------- --------- ---------------... ------------... ----------
PUBLIC G EXECUTE N SQL060207192129400 SYSPROC FUNCTION
PUBLIC G EXECUTE N SQL060207192129700 SYSPROC FUNCTION
PUBLIC G EXECUTE N SQL060207192129701 SYSPROC
...
PUBLIC G EXECUTE Y TABLES SYSIBM PROCEDURE
PUBLIC G EXECUTE Y TABLEPRIVILEGES SYSIBM PROCEDURE
PUBLIC G EXECUTE Y STATISTICS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y SPECIALCOLUMNS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y PROCEDURES SYSIBM PROCEDURE
PUBLIC G EXECUTE Y PROCEDURECOLS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y PRIMARYKEYS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y FOREIGNKEYS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y COLUMNS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y COLPRIVILEGES SYSIBM PROCEDURE
PUBLIC G EXECUTE Y UDTS SYSIBM PROCEDURE
PUBLIC G EXECUTE Y GETTYPEINFO SYSIBM PROCEDURE
PUBLIC G EXECUTE Y SQLCAMESSAGE SYSIBM PROCEDURE
PUBLIC G EXECUTE Y SQLCAMESSAGECCSID SYSIBM PROCEDURE
For releases earlier than Version 9.1 of the DB2 database manager, during database creation, SELECT privilege on the system catalog views is granted to PUBLIC. In most cases, this does not present any security problems. For very sensitive data, however, it may be inappropriate, as these tables describe every object in the database. If this is the case, consider revoking the SELECT privilege from PUBLIC; then grant the SELECT privilege as required to specific users. Granting and revoking SELECT on the system catalog views is done in the same way as for any view, but you must have either ACCESSCTRL or SECADM authority to do this.
This would prevent information on user privileges from becoming available to everyone with access to the database.
You should also examine the columns for which statistics are gathered. Some of the statistics recorded in the system catalog contain data values which could be sensitive information in your environment. If these statistics contain sensitive data, you may wish to revoke SELECT privilege from PUBLIC for the SYSCAT.COLUMNS and SYSCAT.COLDIST catalog views.
If you wish to limit access to the system catalog views, you could define views to let each authorization name retrieve information about its own privileges.
CREATE VIEW MYSELECTS AS
SELECT TABSCHEMA, TABNAME FROM SYSCAT.TABAUTH
WHERE GRANTEETYPE = 'U'
AND GRANTEE = USER
AND SELECTAUTH = 'Y'
The keyword USER in this statement is equal to the value of the current session authorization name.
GRANT SELECT ON TABLE MYSELECTS TO PUBLIC
REVOKE SELECT ON TABLE SYSCAT.TABAUTH FROM PUBLIC
REVOKE SELECT ON TABLE SYSIBM.SYSTABAUTH FROM PUBLIC