How do you provision access of SYSTEM DBADM and give the user id DATAACCESS by default? In the DB2 manual, there is an option to say WITHOUT DATAACCESS.

Release: 1.3
Component: Top Secret-Security-Option for DB2

Provisioning SYSTEM DBADM WITHOUT DATAACCESS requires a TSS PERMIT to the DBA for DB2SYS(SYSDBADM), which will provide the desired DBA functions only. This would be for any table other than catalog tables. Catalog tables are defined as accessible by the SYSDBADM privilege.

Conversely, to allow data access to the DBA, you will need a TSS PERMIT to that user for DB2SYS(DATAACCESS) as well.

You could always then include specific permissions to selected data as with any user by permitting access to the individual resources themselves (i.e. the tables).