Results 1 to 2 of 2

Thread: Secadm

  1. #1
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367

    Unanswered: Secadm

    From v9.7+ doc:

    "If a user holding SYSADM authority creates a database, the user is automatically granted DATAACCESS, ACCESSCTRL, SECADM and DBADM authority for that database, which gives the user the same abilities as in Version 9.5."

    In this case, do you let the instance owner have SECADM or do you create a separate id and grant it SECADM and then revoke it from the instance owner? I guess if SYSADM and SECADM is the same person/DBA, then it makes sense to just let the instance owner have SECADM. What do you think?

  2. #2
    Join Date
    May 2003
    Location
    USA
    Posts
    5,737
    As long as you the instance owner creates all the databases, and runs all the grant scripts, just leave it all under one id. I you have a separate organization responsible for running grants (hopefully not) then you need to have separate the authorities.

    It seems to me that it would be hard to separate the authorities since the DBA must deploy the scripts to create objects (tables, views, etc) and needs to issue grants at the same time. I can see a separate security group that would add/change/delete users in a OS Group, but that is at the OS group account level and not inside DB2.
    M. A. Feldman
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows
    IBM Certified DBA on DB2 for z/OS and OS/390

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •