If you want to limit what a sysadm can or can't do, it
depends on whether you're talking about installation sysadm or
sysadm by grant, you might want to think about setting up trusted
contexts to assign sysadm role under specific circumstances (that's
just an idea, or if you want to be more strict, you as the RACF
people have the option to deny alter access authority to SDSNEXIT
library and allow it only to a special user, there are a few more
options and it doesn't have to be a DB2-only approach).
As for displaying the Db2 zparms, there's a proc
called ADMIN_INFO_SYSPARM and also a sample job that invokes
it called DSNTEJ6Z and it's located in your NEW.SDSNSAMP
library, and it will show you the current zparms that are in
And finally, about accesing catalog tables, I'm afraid I
don't quite get your point so I can't help with that one.
Hope that helps a bit :)
Javier Estrada Benavides
Certified DB2 for z/OS System Admin, Mexico.