-
Title
Why Do I Need to Run the Permission Script If the User Has DBADM and SECADM Authority in Db2? -
Description
Users with DBADM and SECADM authority may ask why the provided permission script should be run when configuring the Foglight DB2 Agent, even though the user already has the highest database-level privileges.
-
Cause
Even though DBADM and SECADM are powerful roles in DB2, they don't automatically grant access to all of the system routines, views, or monitoring functions, especially those under the SYSPROC and SYSIBMADM schemas. These authorities are restricted by design to enforce object-level security and least-privilege access. Access to them is restricted by default to prevent unauthorized or unintended access, even for highly privileged users.
- DBADM grants broad administrative control over the database, including the ability to manage database objects, issue most SQL statements, and perform maintenance tasks.
- SECADM provides authority to manage security-related objects, such as roles, privileges, and audit policies.
The permission script included with the DB2 Cartridge grants EXECUTE or SELECT privileges on various monitoring, diagnostic, and environment inspection routines that are required for the agent to function properly. Examples include:
- SYSPROC.MON_GET_* functions (e.g., MON_GET_DATABASE, MON_GET_TABLESPACE)
- SYSPROC.SNAP_GET_* functions (e.g. SYSPROC.SNAP_GET_DB, SYSPROC.SNAP_GET_TAB)
- SYSIBMADM.MON_LOCKWAITS
- SYSPROC.ENV_GET_* and other environment inspection routines
Even with DBADM or SECADM, these functions are not accessible unless explicitly granted.
-
Resolution
To ensure the DB2 agent functions as expected, users must run the permissions script, regardless of whether the user has DBADM or SECADM authority.
To run the permissions script outside of the UI.
1). Replace @quest_replace_user and @quest_replace_group in the script with the appropriate Db2 user and group.
2). Connect to the target database:
db2 connect to <your_database_name>3). Execute the script
db2 -tvf DB2_grant_Permissions_v10.sqlThis is a standard Db2 security model behavior and not a limitation of the Quest software.
Running the permission script ensures only the necessary privileges are granted, following best practices for secure monitoring.