DB2 9.7 added a few built-in roles like SYSROLE_AUTH_DBADM, SYSROLE_AUTH_SECADM. These roles show up in the syscat.roles and syscat.roleauth catalog views as regular roles, but DB2 treats them as special roles reserved exclusively for certain database authorities. For example, SYSROLE_AUTH_DBADM is granted automatically whenever DBADM is granted to someone. And it is revoked automatically when DBADM is revoked. These roles can not be granted/revoked manually (using grant/revoke statement for example). These roles hold system chosen object privileges. For example, SYSROLE_AUTH_DBADM role hold EXECUTE privilege over many (all?) procedures/functions under the SYSPROC, SYSIBMADM, SYSIBMINTERNAL schemas.