Some sites are used to protecting columns in a table. Now, with DB2 v10 and above, an additional check is done against the table itself (that the column belongs to). In other words, when updating a table:
Under DB2 v9, there is a single check for UPDATE access to the column of a table.
Under DB2 v10, there is an UPDATE check like before. Then there is an additional SELECT check against the table without the column name.
Additionally, there is an EXPLAIN check when there is a violation. That check only occurs after DB2 v10 when a security violation happens.
That check is intended to verify the user authorization to get additional diagnostics provided by the DB2 EXPLAIN feature.
In other words, with DB2 v9, the only permit needed against a column of a table is something like:
TSS PER(#acid) DB2TABLE(Owner.table.column) ACCESS(UPDATE)
With DB2 v10 and above, an additional permit is needed:
TSS PER(#acid) DB2TABLE(Owner.table) ACCESS(SEL)
In case of a violation, an EXPLAIN check is done. To be authorized to use this privilege, you have to be permitted as it follows:
TSS PER(#acid) DB2SYS(EXPLAIN) or have one of the following privileges:
SQLADM
SYSDBADM