DB2 permissions and privileges

Database permissions include instance permission levels (SYSADM, SYSCTRL, SYSMAINT, and SYSMON) and database permission levels (DBAMD and LOAD ). Users with SYSCTRL, SYSMAINT, and SYSMON permissions cannot access data, while users with DBAMD and LOAD permissions can access data. Privileges are more refined than permissions. Database privileges: CONNECT

Database permissions include instance permission levels (SYSADM, SYSCTRL, SYSMAINT, and SYSMON) and database permission levels (DBAMD and LOAD ). Users with SYSCTRL, SYSMAINT, and SYSMON permissions cannot access data, while users with DBAMD and LOAD permissions can access data. Privileges are more refined than permissions. Database privileges: CONNECT

Database permissions include instance permission levels (SYSADM, SYSCTRL, SYSMAINT, and SYSMON) and database permission levels (DBAMD and LOAD ). Users with SYSCTRL, SYSMAINT, and SYSMON permissions cannot access data, while users with DBAMD and LOAD permissions can access data.

Privileges are more refined than permissions.

Database privileges:
CONNECT-allows users to CONNECT to databases
BINDADD-allows users to create new packages in the database
CREATETAB-allows users to create new tables in the database
CREATE_NOT_FENCED-allows users to register user-defined functions (udfs) or stored procedures defined as not fenced.
Implicit schema-allows users to create objects in a mode that does not exist (it automatically creates a mode )*
QUIESCE_CONNECT-allows a user to connect to a database in the quiesced status
CREATE_EXTERNAL_ROUTINE-allows users to register external routines (routines written in external languages such as C and Java)

Tablespace privileges:
USE-allows users to create tables in the specified tablespace

Mode privilege:
CREATEIN-allows users to create objects in the Mode
ALTERIN-allows users to modify objects in Mode
DROPIN-allows users to delete objects from the Mode

Table/view privileges:
CONTROL-grant users all privileges on tables and views, and grant these privileges (except CONTROL) to others
ALTER-allows you to add columns to a table, add or modify comments to or from a table or its columns, add primary keys or unique constraints, and create or delete table check constraints.
DELETE-allows you to DELETE rows from a table or view.
INDEX-allows you to create an INDEX on a table
INSERT-allows users to INSERT data into tables or views
REFERENCES-allows users to create and delete Foreign keys, which must specify the parent table in the link.
SELECT-allows you to retrieve rows from a table or view, create a view on the table, and run the EXPORT Utility
UPDATE-allows you to modify data in certain columns in a table, view, or table or view. You can have this privilege only on a specific column.

Index privilege:
CONTROL-allows users to delete Indexes

Package privileges:
CONTROL-allows users to rebind, delete, or execute packages, and grant these privileges (except CONTROL) to others
BIND-allows users to rebind existing packages
EXECUTE-allows the user to EXECUTE the package

Routine privileges:
EXECUTE allows you to call routines, CREATE functions from routines (only for functions), and reference routines in any DDL statements (such as create view, create trigger, or when defining constraints ).

Sequence privilege:
USAGE-allows users to use NEXTVAL and PREVVAL expressions for Sequences
ALTER-allows you to use the alter sequence statement to modify SEQUENCE attributes.

Privileged information is stored in the seven system catalog views:
* SYSCAT. DBAUTH-database privileges
* SYSCAT. COLAUTH-table and View column privileges
* SYSCAT. INDEXAUTH-index privilege
* SYSCAT. PACKAGEAUTH-package privileges
* SYSCAT. SCHEMAAUTH-mode privilege
* SYSCAT. TABAUTH-table and view privileges
* SYSCAT. TBSPACEAUTH-tablespace privilege

View the permissions of the current connected user:
$ Db2 get authorizations
Administrative Authorizations for Current User
Direct SYSADM authority = NO
Direct SYSCTRL authority = NO
Direct SYSMAINT authority = NO
Direct DBADM authority = YES
Direct CREATETAB authority = YES
Direct BINDADD authority = YES
Direct CONNECT authority = YES
Direct CREATE_NOT_FENC authority = YES
Direct IMPLICIT_SCHEMA authority = YES
Direct LOAD authority = YES
Direct QUIESCE_CONNECT authority = YES
Direct CREATE_EXTERNAL_ROUTINE authority = YES
Direct SYSMON authority = NO
Indirect SYSADM authority = YES
Indirect SYSCTRL authority = NO
Indirect SYSMAINT authority = NO
Indirect DBADM authority = NO
Indirect CREATETAB authority = NO
Indirect BINDADD authority = NO
Indirect CONNECT authority = NO
Indirect CREATE_NOT_FENC authority = NO
Indirect IMPLICIT_SCHEMA authority = NO
Indirect LOAD authority = NO
Indirect QUIESCE_CONNECT authority = NO
Indirect CREATE_EXTERNAL_ROUTINE authority = NO
Indirect SYSMON authority = NO
"Direct" permission means that this permission is explicitly granted to this user. "Indirect" permission means that this user belongs to a group with this permission.