Team with the best
Db2® LUW Performance Tools
company in the World

DB2 LUW Security -- Be Kind to your SECADM (Part 1)

November 5, 2009, 9:55 pm
Posted by bond in General
Here's a tip....just before your shop upgrades to (or installs) DB2 9.7, run to the nearest Coffee Shop, grab a Vanilla Latte and a Cookie and place the Latte gently in front of your SECADM, along with a list of the new SECADM responsibilities that will be necessary after the upgrade.

I promised in an earlier post that I'd share thoughts on how to keep your SECADM from quitting when you upgrade to 9.7. But, if the Latte and cookie approach doesn't work, then you're on your own. (I'm kidding...there's more)

DB2 DBAs...we're used to being overwhelmed. We don't necessarily like it, but we're used to it. Remember when 9.1 first came out? If you had an opportunity to be the SECADM and give up your other tasks, what would you have said then? Seemed like a cushy job at the time. The biggest task appeared to be setting up LBAC, but once that setup was complete, life would not be late 2 AM panic calls...and then..

Version 9.5....some new tasks (audit responsibilities for one), but still the tasks were manageable, plus ROLES were a big help.

And now...we stand at the threshold of 9.7...getting ready to install it...and

Did you give the SECADM the Latte yet ? 

As it says in the documentation, SECADM "abilities have been extended". The easy, breezy life of the SECADM is facing a hurricane. Sounds ominous, but rope your SECADM to the chair until the Latte is finished (and then pull out the cookie as backup) and let's approach this CALMLY.

In DB2 V9.7:

  • SECADM can grant and revoke all authorities and privileges, including DBADM and .... (read carefully) .... > SECADM.
  • SECADM can GRANT SECADM authority to ROLES and GROUPS (here is where your SECADM's eyes start to twinkle)
  • The SECADM can DELEGATE running the audit stored procedures and table functions to ANOTHER user by granting EXECUTE privilege (is the SECADM beginning to smile? )


  • ACCESSCTRL authority can be given to another user so that THEY can grant and revoke authorities and privileges (except SECADM, DBADM, ACCESSCTRL and DATAACCESS)

So, it would appear that your SECADM can easily share with others.

Thanks to the Latte, cookie and a calm approach, disaster was averted....for now...

Tune in to PART TWO, when I share my thoughts on how important your Security Controls are going to be as you approach this new Security Model (bring your own latte).


db2locksmith at