I've been researching DB2's authorization model at work lately, so wanted to share some things I've been finding along the way.
Something I just noticed is that in 9.7, the SYSADM (system administrator) authority no longer gets an implicit DBADM (database administrator) authority as it did in 9.1 and 9.5! It means that the SYSADM will no longer have access to any data in the database (unless it is the creator of the database as well, in which case DBADM is automatically granted)
Whats more.. the ability to grant/revoke DBADM and SECADM (security admin) no longer stays with SYSADM. And it only makes sense from point of view of 'separation of duties'