Can object owner able to grant or revoke privileges on objects he owns ?
Sorry for disturbing you
What i mean by SOD is separation of duties
I want to clear to you i understand the role of SECADM so after i Enable separate security to yes , SECADM will perform Grant and REVOKE authority on objects but if SYSADM was creator of that objects Then SYSADM will also be able to Grant and REVOKE authority
My Question is to how to limit SYSADM from doing that ?
Thanks for reply
I have couple of questions
1- why i cannot prevent a SYSADM from granting authority? (you mean as he is object owner or what )
2- how Make the SYSADM ID not reachable? (you mean can IUse external security like RACF)
So what about Customization SYSADM through Roles and Trusted Context according to https://www.ibm.com/support/knowledgecenter/SSEPEK_10.0.0/seca/src/tpc/db2z_migratesysadm.html
According to your clarification i can understand that most shops that applies separation of duty , they limit SYSADM authority to one or two authid and also still SYSADM can Grant privileges