DBADM and ACCESSCTRL
Continuing along the same lines as the previous post about DBADM and DATAACCESS, there is much more that was taken away from DBADM in DB2 9.7.
1. ability to GRANT/REVOKE *any* database authority (except SECADM, which it never had)
2. ability to GRANT/REVOKE *any* privilege on *any* database object
This again is a significant step towards achieving separation of duties between the 'security administrator' and the 'database administrator'. A new authority 'Access Control authority' (ACCESSCTRL) was introduced to hold these privileges. By default, when DBADM is granted, ACCESSCTRL is also granted, but one can now choose to not do so by using
1. ability to GRANT/REVOKE *any* database authority (except SECADM, which it never had)
2. ability to GRANT/REVOKE *any* privilege on *any* database object
This again is a significant step towards achieving separation of duties between the 'security administrator' and the 'database administrator'. A new authority 'Access Control authority' (ACCESSCTRL) was introduced to hold these privileges. By default, when DBADM is granted, ACCESSCTRL is also granted, but one can now choose to not do so by using
GRANT DBADM WITHOUT ACCESSCTRL
One thing to keep in mind is when DBADM is revoked, DATAACCESS and ACCESSCTRL (if granted by default) are NOT automatically revoked.