01-11-13, 10:30 #1∞∞∞∞∞∞
- Join Date
- Aug 2008
- Toronto, Canada
From v9.7+ doc:
"If a user holding SYSADM authority creates a database, the user is automatically granted DATAACCESS, ACCESSCTRL, SECADM and DBADM authority for that database, which gives the user the same abilities as in Version 9.5."
In this case, do you let the instance owner have SECADM or do you create a separate id and grant it SECADM and then revoke it from the instance owner? I guess if SYSADM and SECADM is the same person/DBA, then it makes sense to just let the instance owner have SECADM. What do you think?
01-12-13, 18:31 #2Registered User
- Join Date
- May 2003
As long as you the instance owner creates all the databases, and runs all the grant scripts, just leave it all under one id. I you have a separate organization responsible for running grants (hopefully not) then you need to have separate the authorities.
It seems to me that it would be hard to separate the authorities since the DBA must deploy the scripts to create objects (tables, views, etc) and needs to issue grants at the same time. I can see a separate security group that would add/change/delete users in a OS Group, but that is at the OS group account level and not inside DB2.M. A. Feldman
IBM Certified DBA on DB2 for Linux, UNIX, and Windows
IBM Certified DBA on DB2 for z/OS and OS/390