Grant Privileges (Controlling SYSADM)

Philip Sevetson

Grant Privileges (Controlling SYSADM)
**please note my email address change**
That has been my experience where I have worked, yes. The list of people who have the SYSADM authorization must be extremely restricted, both by amount of experience – it’s not something you want to give to someone if they aren’t very experienced with the DBMS – and by duties.

Where I’ve worked, the practice has been to:

· Create RACF Groups/ACF2 Secondary AuthIDs with departmental/duty-related names, and

· Assign the SEL/INS/UPD/DEL privileges to those; then,

· A security administrator can use the security tool to connect individuals to those groups/authIDs based on work needs, and not actually have DB2 privileges. (Most security administrators don’t understand DB2, again in my experience.)

· DBAs do the GRANT privileges to new table for those groups, and new GRANTs to existing tables

· A Production Implementation / Configuration Management person/team does the static BINDs, and has all necessary table SEL/INS/UPD/DEL privileges to accomplish that. This person may be, but usually is not, a DBA.

Individuals doing analytic work need additional ability to save data:

· CREATE TABLE privileges are given out to individuals, within a personal database/tablespace, for people who need to do operations like SAVE DATA (QMF).

· DASD Monitor - Someone has to monitor space used by those databases, and raise flags for data which is kept a long time or takes a lot of space.

· RLF - The Resource Limitation Facility should be set to stringently limit the size of any units of work (queries or writes) which analysts do in production. Otherwise, a badly written query in an OLTP or HTAP environment can drastically slow production and/or hold locks which prevent production work. In a serious enough case, a badly performing update can paralyze production.

Philip Sevetson
Computer Systems Manager
5 Manhattan West (33rd St at 10th Ave)
New York, NY 10001-2632
212-857-1688 w
917-991-7052 c
212-857-1659 f
[cid:[login to unmask email]

From: Mohamed Esmael [mailto:[login to unmask email]
Sent: Wednesday, August 23, 2017 6:18 AM
To: [login to unmask email]
Subject: [DB2-L] - RE: Grant Privileges

According to your clarification i can understand that most shops that applies separation of duty , they limit SYSADM authority to one or two authid and also still SYSADM can Grant privileges

-----End Original Message-----
**This e-mail, including any attachments, may be confidential, privileged, or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy, or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.**

  • image001.png (3.3k)