How do you setup login for multiple DBA's supporting the same Linux/Unix environments?

Each DBA logon to the server with their personal id and then 'sudo su - <instance owner>'? Is there a better (more secure) way to accomplish this?

We use ssh + Priv/Publ-Key.
It's not the safest way, but works good for us.

Alternate approach is to setup a group, say, db2sysg1 ,add the dba users (+ instance owner, of course) and assign SYSADM_GROUP to this group.

The DBAs can use their own logins to do remote administration (Datastudio,quest) and also use monitoring tools (like db2mon). This helps in auditing remote connections also.

If every DBA administer db2 using their personal id (with SYSADM privilege), then there is a way to tell who had done what (ie. drop table) if db2audit is setup. If they "su" to the instance owner, then I think there is no way? "su" is logged, but everything else (db2 admin tasks) will be logged as the instance owner id and I will have no way of telling who had done what to the db?

How is this setup in most shops? What I'm after is a way of tracking down each DBA activity (just in case something goes wrong...)

One thing I don't like about that is if there are multiple instances on the server, once you logon as instance owner, the correct DB2 profile is always invoked and you are always pointed to the correct instance.

Otherwise, if a personal id is used with SYSADM, some inadvertent mistakes could happen because the user may not realize which instance they are attached to.

Also keep in mind that when people create objects (tables, routines) under their own authorization IDs the objects will be owned by these different IDs, which causes confusion later (e.g. another DBA not being able to CREATE OR REPLACE or DROP objects) unless permissions are explicitly granted to the DBA group or individual IDs.

It looks like using the instance owner id is easier to manage and can be less error prone, but I'm not sure how to track down who had been using this id to do db2 admin work other than to see when "su" was logged.

we are using the way like:

login the server with personal id,then "sudo su - inst",adding some script into the instance's .profile to record all the commands(even wrong commands) they used into a log file.