DB2 review

Conduct audit by running the SQL below through QMF / DB2I or utilising any other
front end administration tool that may be installed (e.g. RC-Secure) to get the results.
You will need to determine who owns the IDs (primary or secondary) from
RACF/ACF2

1. Identify which accounts are used by batch jobs, which are user accounts and
which accounts are used by the DBAs, support staff etc.
2. Establish whether the number of accounts allocated DBA privileges which can
access data (SYSADM, DBADM) is reasonable
3. Establish which support accounts can ‘fix’ data (of course without any audit
trailing to offsite storage it would be impossible to tell that they did with it and
when).
4. Establish how migration to production is performed – using what accounts
5. Establish how patching and upgrades are performed – using what accounts

Suggested approach to review control over access to DB2 databases would be as

follows. Which of the following is used by RACF and the RCT to control which users
have access to a particular DB2 subsystem. This will need a review of the RACF
profiles for DB2 class and review of the CICS resource control tables that control
which ID (CICS transn, RACF AuthID etc – see below) is passed through to DB2 :-

1. By individual user access granted to packages/plans, tables and views

2. By secondary Authid (group) being granted access to packages/plans, tables
and views
3. By CICS transaction granted access to packages/plans, tables and views
4. By CICS region granted access to DB2 subsystem

Alternatively, do users login to the application itself with the application being
granted access to DB2 by virtue of CICS access? If so, who grants this access to
users?

Is the model consistent for all applications / DB2 databases?

Establish what direct access is granted to staff (basically DBA have direct access
via TSO/DB2I/SPUFI. Who else?
DB2 Query SQL
The commands, tables and column definitions should be up-to-date but I would suggest a
check, especially if you get spurious results. I would suggest a sanity check of the output (i.e.
take some data you know exists and ensure that it appears on the relevant output).

To retrieve all user IDs (not plans) with DBADM authority and whether they
hold this privilege ‘with grant option’ or not

SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE

GRANTEETYPE = ' ' AND WHERE DBADMAUTH <> ' ';

(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted
a privilege)

OR

SELECT DISTINCT GRANTEE FROM SYSIBM.SYSDBAUTH WHERE

GRANTEETYPE = ' ' AND DBADMAUTH IN (‘G’,’Y’) ;

Retrieve all users with SYSADM authority

SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM
SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
OR
SELECT GRANTEE FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH
IN (‘G’,’Y’);
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted
a privilege)

Find all users with SYSCTRL authority

Repeat the above query for SYSADM but substituting ‘WHERE SYSCTRLAUTH’
for ‘WHERE SYSADMAUTH’

To retrieve all system privileges held by users, enter the following SQL (If
GRANTEETYPE is blank, the value of GRANTEE is an ID that has been
granted a privilege):-

SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM

SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
 (Repeat for SYSCTRLAUTH, SYSOPRAUTH, BSDSAUTH,
CREATEDBAAUTH, CREATEDBCAUTH, CREATESGAUTH,
BINDADDAUTH, ALTERBPAUTH, BINDAGENTAUTH,
ARCHIVEAUTH, RECOVERAUTH, STOPALLAUTH,
STOSPACEAUTH, TRACEAUTH, DISPLAYAUTH)

Contd..
To list the privileges held by users over databases, enter the following SQL :-

SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE

DBADMAUTH <> ' ';
 (Repeat for DBCTRLAUTH, DBMAINTAUTH, CREATETABAUTH,
CREATETSAUTH, DISPLAYDBAUTH, DROPAUTH,
IMAGCOPYAUTH, LOADAUTH, REORGAUTH,
RECOVERDBAUTH, REPAIRAUTH, STARTDBAUTH, STATSAUTH,
STOPAUTH)

I have attached a definition of privileges and Catalog tables as

Appendix A in case you wish to perform other queries based on
your findings.
Appendix B
Single Resource Specific Capabilities
BIND
Explicit BIND (with the ACTION(REPLACE) option), REBIND or FREE TSO sub-
commands may be used on this plan. The plan must exist
EXECUTE
Programs may be executed that use resources that have been bound to the specified
application plans. The binder of a plan always gets EXECUTE authority with the
GRANT option automatically
CREATETAB
New tables may be created within the specified database CREATETAB is not
required to create new views)

CREATETS
New tablespaces may be created within the specified database

DISPLAYDB
The status of the specified DB2 databases may be displayed
DROP
The specified DB2 databases may be dropped
Note: All tables, table spaces and views are also dropped when a database is dropped
IMAGECOPY
The COPY and MERGECOPY utilities may be run against table spaces and
indexes within the specified DB2 databases
LOAD
The LOAD utility may be used to load table spaces and indexes within the
specified DB2 databases. Note: The creator of a table can always use the
LOAD utility for the table.

REORG
Table spaces and indexes may be reorganised within the specified DB2 databases
RECOVERDB

The RECOVER utility may be invoked against table spaces and indexes within the
specified DB2 databases

REPAIR
The REPAIR utility may be invoked against table spaces and indexes within
the specified DB2 databases
STARTDB
The START command may be issued against the specified DB2 databases

STATS
The RUNSTATS utility may be invoked against the specified DB2 databases.

STOPDB

The STOP command may be issued against the specified DB2 databases

USE OF
The specified objects (bufferpools, storage groups or table spaces) may be used.
Use of a bufferpool means the ability to create table spaces that use the bufferpool.
Use of a storage group means the ability to create table spaces that use the storage
group.
Use of a table space means the ability to create tables in the table space.
This ensures that storage groups can be reserved for table spaces and table spaces
reserved for tables.
Single General Capabilities
Stored in the SYSUSERAUTH TABLE

BINDADD
The BIND TSO sub-command with the ACTION(ADD) option may be issued.
(The ADD option is used to add a new plan - it must not already exist)
BSDS
The RECOVER BSDS command may be issued
CREATEDBA
New databases may be created. The user gets the DBADM authority for all databases
created this way
CREATEDBC
New databases may be created. The user gets the DBCTRL authority for all
databases created this way
CREATESG
New storage groups may be created
DISPLAY
DB2 threads (‘DISPLAY THREAD’) and DB2 databases (‘DISPLAY DB’) may be
displayed
RECOVER
The ‘RECOVER INDOUBT’ command may be issued
STOPALL
The ‘STOP DB2’ command may be issued to terminate the DB2 subsystem

STOSPACE
The STOSPACE utility may be invoked
TRACE
The ‘START TRACE’ and ‘STOP TRACE’ commands may be issued.
DB2 Catalog Tables (* = tables of interest in a
security review)
SYSIBM.LUNAMES
This table must contain a row for each remote SNA client or server that
communicates with DB2. Rows in this table can be inserted, updated and deleted
SYSIBM.MODESELECT
Associates a mode name with any conversation created to support an outgoing SQL
request. Each row represents one or more combinations of LUNAME, authorisation
ID, and application plan name. Rows in this table can be inserted, updated and
deleted
SYSIBM.SYSAUXRELS
This table was introduced with Version 6. It contains one row for each auxiliary table
created for a LOB column. A base table space that is partitioned must have one
auxiliary table for each partition of each LOB column
SYSIBM.SYSCHECKDEP
Contains one row for each reference to a column in a table check constraint
SYSIBM.SYSCHECKS
This table contains one row for each table check constraint
SYSIBM.SYSCOLAUTH *
Records the UPDATE or REFERENCES privileges that are held by users on
individual columns of a table or view
SYSIBM.SYSCOLDIST
Contains one or more rows for the first key column of an index key. Rows in this
table can be inserted, updated and deleted

SYSIBM.SYSCOLDISTSTATS
This table contains none, one, or more rows per partition for the first key column of a
partitioning index. Rows are inserted when RUNSTATS scans index partitions of the
partitioning index. No row is inserted if the index is a non-partitioning index. Rows
in this table can be inserted, updated, and deleted
SYSIBM.SYSCOLSTATS
Contains partition statistics for selected columns. For each column, a row exists for
each partition in the table. Rows are inserted when RUNSTATS collects either
indexed column statistics or non-indexed column statistics for a partitioned table
space. No row is inserted if the tablespace is non-partitioned. Rows in this table can
be inserted, updated, and deleted
SYSIBM.SYSCOLUMNS
Contains one row for ever column of each table and view; defining creator, data type,
length, name, etc…
SYSIBM.SYSCONSTDEP
This table has been introduced with Version 6. It records dependencies on check
constraints or user-defined defaults for a column
SYSIBM.SYSCOPY
This table contains information on the execution of DB2 COPY, QUIESCE, LOAD
and REORG utilities such as database and table space ID, type of copy, date created,
location, etc… It is used by DB2 to manage recovery

SYSIBM.SYSDATABASE
Contains one row of information (e.g. name, creator, default storage group, buffer
pool, etc…) for each database, except for database DSNDB01
SYSIBM.SYSDATATYPES
This table contains one row of information for each distinct data type defined to the
system
SYSIBM.SYSDBAUTH *
This table contains the privileges that are held by users over databases
SYSIBM.SYSDBRM
Contains DBRM information for DBRMs which have been bound into plans, e.g. date
compiled, host language (assembler; COBOL; FORTRAN…) etc
SYSIBM.SYSDUMMY1
This table contains one row. The table is used for SQL Statements in which a table
reference is required, but the contents of the table are not important
SYSIBM.SYSFIELDS
Contains one row of information for every column that has a field procedure
SYSIBM.SYSFOREIGNKEYS
This table contains one row of information for every column of every foreign key
SYSIBM.SYSINDEXES
Contains one row of information for every index

SYSIBM.SYSINDEXPART
Contains one row for each non-partitioning index and one row for each partition of a
partitioning index
SYSIBM.SYSINDEXSTATS
Contains one row of information for each partition of a partitioning index, e.g. name
of index, partition number, index owner, etc…
SYSIBM.SYSKEYS
Contains one row of information for each column of an index key
SYSIBM.SYSDBSTATS
Contains one row of information for each Large OBject (LOB) table space

SYSIBM.SYSPACKAGE
Contains one row of information for every package

SYSIBM.SYSPACKAUTH *
Records the privileges that are held by users over packages
SYSIBM.SYSPACKDEP
This table records dependencies of packages on local tables, views, synonyms, table
spaces, indexes, aliases, functions and stored procedures
SYSIBM.SYSPACKLIST
Contains one or more rows for every local application plan bound with a package list.
Each row represents a unique entry in the plan’s package list

SYSIBM.SYSPACKSTMT
This table contains one or more rows of information for each statement in a package
SYSIBM.SYSPARMS
This table contains a row for each parameter of a routine or multiple rows for table
parameters (one for each column of the table)
SYSIBM.SYSPKSYSTEM
Contains zero or more rows for every package. Each row for a given package
represents one or more connections to an environment in which the package could be
executed
SYSIBM.SYSPLAN
Contains information on every plan, e.g. creator, date bound, whether valid / invalid,
ID of binder, etc …

SYSIBM.SYSPLANAUTH *
Records the privileges which are held by users over application plans (e.g. BIND,
EXECUTE)
SYSIBM.SYSPLANDEP
Records the dependencies e.g. of plans on tables, views, aliases, synonyms, table
spaces, indexes, functions, and stored procedures
SYSIBM.SYSPLSYSTEM
Contains none, one, or more rows for every plan. Each row for a given plan
represents one or more connections to an environment in which the plan could be used

SYSIBM.SYSPROCEDURES *
In releases of DB2 for OS/390 prior to Version 6, users were required to use the
SYSPROCEDURES catalog table to define stored procedures to DB2. In Version 6,
the SYSROUTINES catalog table contains information about stored procedures.
When Version 6 was installed, the rows in SYSPROCEDURES that had non-blank
values for authID and LUNAME were copied, with appropriate formatting, to
SYSROUTINES. Although Version 6 of DB2 for OS/390 does not use
SYSPROCEDURES, it is available for fallback to Version 5.

SYSIBM.SYSRELS
Contains information on the foreign key and link relationships for all tables, e.g.
referential constraints such as Cascade, Restrict, SetNull

SYSIBM.SYSRESAUTH *
Records CREATE IN and PACKADM ON privileges for collections; USAGE
privileges for distinct types; and USE privileges for buffer pools, storage group and
table spaces
SYSIBM.SYSROUTINEAUTH *
Records the privileges that are held by users on routines. (A routine can be a user-
defined function, a cast function or a stored procedure).

SYSIBM.SYSROUTINES
Contains a row for every routine. (A routine can be a user-defined function, cast
function or stored procedure).

SYSIBM.SYSSCHEMAAUTH *
Contains one or more rows of information for each user that is granted a privilege on
a particular schema in the database.
SYSIBM.SYSSTMT
This contains one or more rows for each SQL Statement of each DBRM
SYSIBM.SYSSTDGROUP
Contains one row of information for each storage group
SYSIBM.SYSSTRINGS
Contains information on conversion of strings from one character set to another
SYSIBM.SYSSYNONYMS
Contains synonyms for table names
SYSIBM.SYSTABAUTH *
Records the privileges that users hold on tables and views
SYSIBM.SYSTABLEPART
Contains one row for each non-partitioned table space and one row for each partition
of a partitioned tablespace
SYSIBM.SYSTABLES
Contains one row of information for each table, view or alias
SYSIBM.SYSTABLESPACE
Contains one row of information for each tablespace

SYSIBM.SYSTABSTATS
Contains a row of information for each partition of a partitioned table space. Rows in
this table can be inserted, updated and deleted

SYSIBM.SYSTRIGGERS
This table contains one row of information for each trigger.
SYSIBM.SYSUSERAUTH *
This table records information on system privileges held by DB2 users
SYSIBM.SYSVIEWDEP
Records the dependencies of views on tables, functions and other views
SYSIBM.SYSVIEWS *
Contains information on all views that have been defined in this location
SYSIBM.SYSVOLUMES
Contains one row for each volume of each storage group
SYSIBM.SYSUSERNAMES
Each row in this table is used to carry out either Outbound ID translation or Inbound
ID translations and “come from” checking. Rows in this table can be inserted, updated
and deleted
SYSIBM.SYSTABLESPACE
Contains one row of information for each tablespace.
Privilege - Columns on Security Tables
Each table entry holds the following privileges
Pre-defined group capabilities have completed entries as shown :-
SINGLE RESOURCE TYPE PREDEFINED
CAPABILITY CAPABILITIES
S D D D S
Y B B B Y
S A C M S
A D T A O
D M R I P
M L N R
T

SYSUSERAUTH
ALTERBP G
BINDADD N.B. Only the SYSADM authority G
BSDS starts off with the ability to G
CREATEDBA GRANT privileges G
CREATEDBC G
CREATESG G
DISPLAYDB G
STOSPACE G
DISPLAY G
Y
RECOVER G
Y
STOPALL G
Y
TRACE G
Y

SYSTABAUTH
ALTER table definitions G Y
DELETE table rows G Y
INDEX create indexes G Y
INSERT table rows G Y
SELECT table rows G Y
UPDATE tables (column list) G Y

SYSPLANAUTH
BIND application plans G
EXECUTE application plans G

SYSDBAUTH
DROP data base G Y Y
LOAD data base G Y Y
REORG data base G Y Y
RECOVERDB data base G Y Y
REPAIR data base G Y Y
CREATETAB data base G Y Y Y
CREATETS data base G Y Y Y
DISPLAYDB data base G Y Y Y
IMAGECOPY data base G Y Y Y
STARTDB data base G Y Y Y
STATS data base G Y Y Y
STOPDB data base G Y Y Y

Defines propagation privileges for predefined capabilities and any other user
‘G’ = Capability given WITH the GRANT option
‘Y’ = Capability given (but not with the GRANT option)
‘BLANK’ = NO capability
SYSIBM.SYSCOLAUTH Table

Contains the UPDATE privileges held by DB2 users on single table columns
or view columns.

Column Name Description

GRANTOR A userid, the literal 'PUBLIC', or the

literal 'PUBLIC*' to indicate that all
users at all distributed locations hold
these privileges. This is the user who
granted update authority to the
GRANTEE.

GRANTEE The authid of the user who

possesses the privileges described in this row, the
name of a plan that uses the privileges, the literal
'PUBLIC' to indicate that all users have these privileges,
or the literal 'PUBLIC*' to indicate that all users at all
distributed locations hold these privileges.

GRANTEETYPE A value indicating the type of

GRANTEE:
P GRANTEE is a plan
blank GRANTEE is a userid

CREATOR The owner of the view or table

named in TNAME.

TNAME The view or table name in which the

COLNAME indicated in this row
exists.

TIMESTAMP An internal timestamp representing

when authority was granted. Do not use
because this is unreadable.

DATEGRANTED The date on which authority was

granted
(yymmdd).

TIMEGRANTED The time at which authority was

granted
(hhmmssth)

COLNAME The column name to which update

authority has been granted.

IBMREQD An indicator specifying 'Y' if the

row was supplied by IBM, or 'N' if it was not
LOCATION The package location.

COLLID The collection name.

CONTOKEN The package name.

SYSIBM.SYSDBAUTH Table
Records the privileges held by users over databases.

Column Name Data Type Description

GRANTOR CHAR(8) Authorisation ID of the user who

granted privileges.

GRANTEE CHAR(8) Authorisation ID of the user who

holds the privileges or the name of an application plan that
uses the privileges.

NAME CHAR(8) Database name.

TIMESTAMP CHAR(12) Time at which the privileges were

granted
(Internal timestamp format).

DATEGRANTED CHAR (6) Date the privileges were granted, in

the form yymmdd.

TIMEGRANTED CHAR(8) Time the privileges were granted, in

the form hhmmssth.

GRANTEETYPE CHAR(1) Meaning:

Blank GRANTEE is an
authorisation ID
P GRANTEE is an
application plan

AUTHHOWGOT CHAR(1) Authorisation level of the user from

whom the privileges were received:
blank not applicable
C DBCTL
D DBADM
L SYSCTRL
M DBMAINT
S SYSADM

CREATETABAUTH CHAR(1) Whether the GRANTEE can create

tables within the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

CREATETSAUTH CHAR(1) Whether the GRANTEE can create

table spaces within the data base:
blank privilege is not held
 G privilege held with the
GRANT option
Y privilege held without
GRANT option
DBADMAUTH CHAR(1) Whether the GRANTEE has
DBADM authority over the
database:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

DBCTRLAUTH CHAR(1) Whether the GRANTEE has

DBCTRL authority over the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

DBMAINTAUTH CHAR(1) Whether the GRANTEE has

DBMAINT authority over the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option
SYSIBM.SYSDBAUTH Table (Contd)

Column Name Data Type Description

DISPLAYDBAUTH CHAR(1) Whether the GRANTEE can issue

the DISPLAY command for the data
base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

DROPAUTH CHAR(1) Whether the GRANTEE can drop

the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

IMAGCOPYAUTH CHAR(1) Whether the GRANTEE can use the

COPY and MERGECOPY utilities
on the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

LOADAUTH CHAR(1) Whether the GRANTEE can use the

LOAD utility to load tables in the data base:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

REORGAUTH CHAR(1) Whether the GRANTEE can use the

REORG utility to reorganise table spaces
in the data base:
blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option

RECOVERDBAUTH CHAR(1) Whether the GRANTEE can use the

RECOVER utility to recover table spaces and indexes in
the database:
 blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option

REPAIRAUTH CHAR(1) Whether the GRANTEE can use the

REPAIR utility on table spaces and indexes
in the database:
blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option

STARTDBAUTH CHAR (1) Whether the GRANTEE can use the

START command against the data base:
blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option

STATSAUTH CHAR(1) Whether the GRANTEE can use the

RUNSTATS utility against the data base:
blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option
SYSIBM.SYSDBAUTH Table (Contd)

Column Name Data Type Description

STOPAUTH CHAR(1) Whether the GRANTEE can issue

the STOP command against the data base:
blank privilege is not held
G privilege held with
GRANT option
Y privilege held without
GRANT option

IBMREQD CHAR(1) Whether the row came form the

basic machine-readable material (MRM) tape:
N no
Y yes
SYSIBM.SYSPLANAUTH Table
Contains the plan privileges (BIND and EXECUTE authorities) held by DB2
users

Column Name Description

GRANTOR The authid of the user who granted the

privileges described in this row.

GRANTEE The authid of the user who

possesses the privileges described in this row, the
name of a plan that uses the privileges, or the
literal PUBLIC to indicate that all users have these privileges.

NAME The name of the plan

TIMESTAMP The date and time (in the internal

format)
when the privileges were granted.

DATEGRANTED The date (yymmdd) that authority

was granted.

TIMEGRANTED The time (hhmmssth) that authority

was granted.

GRANTEETYPE A value indicating the type of

GRANTEE
P GRANTEE is a plan
blank GRANTEE is a userid

AUTHHOWGOT The authorisation level of the

GRANTOR:
C DBCTL
D DBADM
L SYSCTRL
M DBMAINT
S SYSADM
blank not applicable

BINDAUTH The privilege to BIND or REBIND

the named plan:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

EXECUTEAUTH The privilege to execute the named

plan:
 blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

IBMREQD An indicator specifying Y if the row

was supplied by IBM,
or N if it was not.
SYSIBM.SYSRESAUTH Table

Records the privileges held by users over buffer pools, storage groups, and
table spaces.

Column Name Data Type Description

GRANTOR CHAR(8) Authorisation ID of the user who

granted the privilege.

GRANTEE CHAR(8) Authorisation ID of the user who

holds the privileges, or the name of an application plan that
uses the privilege.

QUALIFIER CHAR(8) This column contains blanks if the row

describes a privilege over a buffer pool
or storage group. It contains the qualifier of the table space name
(the data base name), if the row describes
a privilege over a table space.

NAME CHAR(8) Name of the storage group, table

space or buffer pool.

GRANTEETYPE CHAR(1) Meaning:

Blank GRANTEE is an
authorisation ID
P GRANTEE is an
application plan

AUTHHOWGOT CHAR(1) Authorisation level of the user from

whom the privileges were received:
blank not applicable
C DBCTL
D DBADM
L SYSCTRL
M DBMAINT
S SYSADM

OBTYPE CHAR(1) Object type:

B buffer pool
S storage group
R table space

TIMESTAMP CHAR(12) Time at which the privilege was

granted (internal timestamp format).

DATEGRANTED CHAR(6) Date the privilege was granted:in the

form yymmdd.
TIMEGRANTED CHAR(8) Time the privilege was granted:in
the form hhmmssth.

USEAUTH CHAR(1) Whether the privilege is held with

the GRANT option:
G privilege held with the
GRANT option
Y privilege held without
GRANT option

IBMREQD CHAR(1) Whether the row came from the

basic machine-readable material (MRM) tape:
N no
Y yes
SYSIBM.SYSTABAUTH Table
Contains information on the table privileges held by DB2 users.

Column Name Description

GRANTOR The authid of the user who granted the

privileges described in this row.

GRANTEE The authid of the user who

possesses the privileges described in this row, the
name of a plan that uses the privileges, or the
literal PUBLIC to indicate that all users have these privileges, or
the literal PUBLIC* to indicate that all users at all
distributed locations hold these privileges.

GRANTEETYPE A value indicating the type of

GRANTEE:
P GRANTEE is a plan or
package
blank GRANTEE is a userid

DBNAME The database name over which the

GRANTOR possesses
DBADM, DBCTRL, or
DBMAINT authority, if this
privilege was granted by a user with
this type of authority. Otherwise, the
column is blank.

SCREATOR For views, SCREATOR contains the

owner of the view named in STNAME. If
the row defines a table and not a view, SCREATOR is
equal to TCREATOR.

ST NAME For views, STNAME contains the

view name. If the row defines a table and not a view,
STNAME is equal to TTNAME.

TCREATOR The owner of the table or view

named in TTNAME.

TTNAME The table or view name.

AUTHHOWGOT The authorisation level of the

GRANTOR:
C DBCTL
D DBADM
L SYSCTRL
M DBMAINT
S SYSADM
 blank not applicable

TIMESTAMP The date and time (in the internal

format) when the privileges were granted.

DATEGRANTED The date (yymmdd) that authority

was granted.

TIMEGRANTED The time (hhmmssth) that authority

was granted.

UPDATECOLS If the UPDATEAUTH column

applies to all columns in this table,
UPDATECOLS is blank.
Otherwise, this column contains an
asterisk (*), indicating that the user
holds update privileges on at least
one column of this table. The
SYSIBM.SYSCOLAUTH table
contains details of these single-
column update privileges.

ALTERAUTH The privilege to alter the named

table:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option
SYSIBM.SYSTABAUTH Table (Contd)

Column Name Description

DELETEAUTH The privilege to delete rows from

the named table.
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

INDEXAUTH The privilege to create indexes for

the named table:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option
INSERTAUTH The privilege to insert rows into the
named table:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

SELECTAUTH The privilege to select rows from the

named table:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

UPDATEAUTH The privilege to update rows in the

named table:
blank privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

IBMREQD An indicator specifying Y if the row

was supplied by IBM,
or N if it was not.

GRANTEELOCATION The location name of GRANTEE.

LOCATION The location name of the package (if

the privilege was granted by a package).

COLLID The package location (if the

privilege was granted by a package).

CONTOKEN The consistency token for the

package (if the privilege was granted by a
package).

CAPTUREAUTH The capture privilege for the named

table:
blank privilege is not held
G privilege held with the
GRANT option
 Y privilege held without
GRANT option
SYSIBM.SYSTABLES Table

Contains information on every table known to the DB2 subsystem

Column Name Description

NAME The table name

CREATOR The owner of the table, view, or alias named in

NAME

TYPE 'A' if the row defines and alias, 'T' if the row defines
a table, or 'V' if the row defines a view

DBNAME The name of the database in which the table was

created; if the row does not define a table, the value is always DSNDB06

TSNAME The name of the tablespace in which the table was

created; if the row defines a view based on tables, the value is the name
of the tablespace for one of the tables. If the row defines a view based on
other views, the value is SYSVIEWS. If the row defines an alias, the
value is SYSDBAUT.

DBID The internal database identifier

OBID The internal object identifier assigned to this table

by DB2

COLCOUNT The number of columns defined for this table

EDPROC The name of the EDITPROC used by the table, if

any; always blank for aliases and views.

VALPROC The name of the VALIDPROC used by the table, if

any; always blank for aliases and views

CLUSTERTYPE Not currently used

CLUSTERRID Not currently used

CARD The number of rows contained in this table, or -1 for

views, aliases, or if RUNSTATS has not been run.

NPAGES The number of tablespace pages that contain rows

for this table, or -1 for views, aliases, or if RUNSTATS has not been run

PCTPAGES The percentage of tablespace pages that contain

rows for this table, or -1 for a view or alias, or if RUNSTATS has not run
 IBMREQD An indicator specifying Y if the row was supplied
by IBM, or N if it was not. Additional values are used for the IBMREQD
column in this table indicating specific DB2 version / release
dependencies.

REMARKS The table comments as specified by the COMMENT

ON statement

PARENTS The number of referential constraints in which this

table is a dependent table, or 0 for views and aliases.

CHILDREN The number of referential constraints in which this

table is a parent table,
or 0 for views and aliases.

SYSIBM.SYSTABLES Table (Contd)

Column Name Description

KEYCOLUMNS The number of columns in this table's primary key,
or 0 for views and aliases

RECLENGTH A value indicating the absolute maximum length for

any row of this table

STATUS An indicator representing the status of this table's

primary key situation
I Primary key incomplete because a unique
index is not yet created for the key
X Unique index exists for this table's primary
key

blank No primary key defined, or row defines a

view or alias

KEYOBID The internal object identifier assigned to this table's

primary key by DB2

LABEL A label as specified by the LABEL ON statement

CHECKFLAG A blank if the table contains no rows that violate RI

or if the row describes a view or alias. A C if the table contains rows that
may violate RI.

CHECKRID A blank if the table is not in check pending status, if

the row describes a view or alias, or if the tablespace
is partitioned. Otherwise, contains the RID of the
first row that can contain a referential constraint
 violation, or the value X'00000000' to indicate that
any row may be in violation.

AUDITING An indicator specifying the auditing option for the

named table:

A AUDIT ALL
C AUDIT CHANGE
blank AUDIT NONE, or row defines a view or
alias

CREATEDBY The primary authorisation ID of the individual who

created this table.

LOCATION The location name for an alias defined for a remote

table or view. Otherwise, this column is blank

TBCREATOR For aliases, contains the owner of the table named in

TBNAME

TBNAME For aliases, contains the table name on which the

alias is based

CREATEDTS The date and time when the table, view, or alias was
created

ALTEREDTS For tables, ALTEREDTS indicates the date and time

when the table was altered. If the table has not been
altered, or the row defines a view or alias, this
column equals the value of CREATEDTS

DATACAPTURE Used for distributed data access

RBA1 Used for distributed data access

RBA2 Used for distributed data access

DEFERPREP Y if the plan was bound specifying

DEFER(PREPARE), or N if it was bound specifying
NODEFER(PREPARE)

CURRENTSERVER The location name of the current server

SYSENTRIES The number of enabled / disabled entries for this

plan (as recorded in SYSIBM.SYSPLSYSTEM)
SYSIBM.SYSUSERAUTH Table

Records the system privileges held by users.

Column Name Data Type Description

GRANTOR CHAR(8) Authorisation ID of the

user who granted
privileges.

GRANTEE CHAR(8) Authorisation ID of the

user who holds the
privileges, or the name of
a plan that uses the
privileges.

TIMESTAMP CHAR(12) Time at which the

privileges were granted
(Internal timestamp
format).

DATEGRANTED CHAR (6) Date the privileges were

granted, in the form
yymmdd.

TIMEGRANTED CHAR(8) Time the privileges were

granted, in the form
hhmmssth.

GRANTEETYPE CHAR(1) Meaning:

Blank GRANTEE is
an authorisation ID
P GRANTEE is
an application plan

AUTHHOWGOT CHAR(1) Authorisation level of the

user from whom the
privileges were received:
blank not applicable
C DBCTL
D DBADM
L SYSCTRL
M DBMAINT
S SYSADM

ALTERBPAUTH CHAR(1) This column is not used.

BINDADDAUTH CHAR(1) Whether the GRANTEE

can use the BIND
 command with the ADD
option:
blank privilege is not
held
G privilege is held with
the GRANT option
Y privilege is held
without GRANT option

BSDSAUTH CHAR(1) Whether the GRANTEE

can issue the
RECOVER BSDS
command:
blank privilege is not
held
G privilege is held with
the GRANT option
Y privilege is held
without GRANT option

CREATEDBAAUTH CHAR(1) Whether the GRANTEE

can create data
bases and
automatically receive DBADM
authority over the new
data bases:
blank privilege is not
held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

CREATEDBCAUTH CHAR(1) Whether the GRANTEE

can create new data
bases and
automatically receive DBCTRL
authority over the new
data bases: blank
privilege is not held
G privilege held with the
GRANT option
Y privilege held without
GRANT option
SYSIBM.SYSUSERAUTH Table (Contd)

Column Name Data Type Description

CREATESGAUTH CHAR(1) Whether the GRANTEE

can create new
storage groups:
blank privilege is not
held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

DISPLAYAUTH CHAR(1) Whether the GRANTEE

can use the
DISPLAY commands:
blank privilege is not
held
G privilege held with the
GRANT option
Y privilege held without
GRANT option

RECOVERAUTH CHAR(1) Whether the GRANTEE

can use the
RECOVER INDOUBT
command:
G privilege held with
GRANT option
Y privilege held without
GRANT option

STOPALLAUTH CHAR(1) Whether the GRANTEE

can use the DB2-
STOP command:
blank privilege is not
held
G privilege held with
GRANT option
Y privilege held without
GRANT option

STOSPACEAUTH CHAR(1) Whether the GRANTEE

can use the
STOSPACE utility:
blank privilege is not
held
G privilege held with
GRANT option
 Y privilege held without
GRANT option

SYSADMAUTH CHAR(1) Whether the GRANTEE

has system
administration authority:
blank privilege is not
held
G privilege is held with
GRANT option
Y privilege is held
without GRANT option

SYSOPRAUTH CHAR(1) Whether the GRANTEE

has system operator
authority:
blank privilege is not
held
G privilege is held with
GRANT option
Y privilege is held
without GRANT option

TRACEAUTH CHAR(1) Whether the GRANTEE

can issue the
START TRACE and
STOP TRACE
commands:
blank privilege is not
held
G privilege held with
GRANT option
Y privilege held without
GRANT option

IBMREQD CHAR(1) Whether the row came

from the basic
machine-readable
material (MRM) tape:
N no
Y yes
SYSIBM.SYSUSERAUTH Table (Contd)

Column Name Description

MON1AUTH The privilege to read IFC serviceability data. The

Instrumentation Facility
allows traces to be placed on events in different
classes, e.g.
Accountability Trace, Audit Trace, Global Trace,
Monitor Trace,
Performance Trace, Statistics Trace. Each event is
identified by an IFCID.

blank privilege is not held

G privilege held with GRANT option
Y privilege held without GRANT
option

MON2AUTH The privilege to read IFC data:

blank privilege is not held
G privilege held with GRANT option
Y privilege held without GRANT
option

CREATEALIASAUTH The privilege to create aliases:

blank privilege is not held
G privilege held with GRANT option
Y privilege held without GRANT
option

SYSCTRLAUTH SYSCTRL privilege:

blank privilege is not held
G privilege is held with GRANT
option
Y privilege is held without GRANT
option

BINDAGENTAUTH BINDAGENT privilege:

blank privilege is not held
G privilege is held with GRANT
option
Y privilege is held without GRANT
option

ARCHIVEAUTH The privilege to issue - ARCHIVE commands:

blank privilege is not held
G privilege held with GRANT option
Y privilege held without GRANT
option
CAPTURE1AUTH CAPTURE1 privilege:
blank privilege is not held
G privilege held with GRANT option
Y privilege held without GRANT
option

CAPTURE2AUTH CAPTURE2 privilege:

blank privilege is not held
G privilege held with GRANT option
Y privilege held without GRANT
option
SYSIBM.SYSVIEWDEP Table

Contains a cross-reference of DB2 objects on which each view depends.

Column Name Description

BNAME The table or view name on which the view named in

DNAME is dependent

BCREATOR The owner of the view or table named in BNAME

BTYPE 'T' if the object is a table, or 'V' if it is a view

DNAME The view name.

DCREATOR The owner of the view named in DNAME

IBMREQD An indicator specifying 'Y' if the row was supplied

by IBM, or 'N' if it was
not.
SYSIBM.SYSVIEWS Table

Contains information on all views that have been defined in this location.
This table resides in the DSNDB06 database in each location.

Column Name Description

NAME Name of the view

CREATOR Authid of the view's owner

SEQNO Sequence number for views that have text

descriptions spread over multiple rows.

CHECK Indicates if CHECK option was specified when the

view was created (y/n).

IBMREQD DB2/mainframe-specific item

TEXT Text from the CREATE VIEW statement