About SYSADMIN Privilege
SYSADMIN privilege authorizes the holder to grant and revoke privileges on any resource within the domain. It also enables the holder to define resources and to delegate administration privileges.
In sum, the holder of SYSADMIN privilege can administer the security system.
Until you secure the SYSADMIN resource, any user can administer SYSADMIN privilege.
How to Secure SYSADMIN
To secure SYSADMIN internally, include an entry in the SRTT:
#SECRTT TYPE=ENTRY, X
RESTYPE=SYSA, X
SECBY=INTERNAL
To secure SYSADMIN externally, include an entry in the SRTT:
#SECRTT TYPE=ENTRY, X
RESTYPE=SYSA, X
SECBY=EXTERNAL, X
Additional parameters required
Note: For more information, see #SECRTT.
Restricting SYSADMIN
Since SYSADMIN is the master security definition privilege, it is very important to restrict the granting of SYSADMIN authority.
Consider assigning SYSADMIN to a group rather than an individual user so that security can be administered in a timely fashion should the primary administrator be unavailable.
Decentralizing Administration
The holder of SYSADMIN can decentralize security administration by granting to appropriate users:
You should carefully restrict grants of administration privileges. A user with administrative privilege can grant and revoke privileges on all resources within the scope of the administration privilege.
Granting Administration Privileges
You can give SYSADMIN, DCADMIN, and DBADMIN privileges to one or more users with a grant statement, as in this example of a statement that grants DBADMIN privilege on a specified database:
grant dbadmin on db testdb to devdba;
More Information
For more information about granting administration privileges, see the following sections:
|
Copyright © 2014 CA.
All rights reserved.
|
|