The term Database Owner refers to the current authorization identifier when the database is created, that is, the user creating the database. If you use NATIVE authentication, or if you manually enable or plan to enable SQL authorization, controlling the identity of the Database Owner becomes important.
When a database is created, the Database Owner of that database is implicitly set to the authorization identifier used in the connect operation that creates the database, for example, by supplying the URL attribute "user". Note that this applies even if authentication is not (yet) enabled. In SQL, the built-in functions USER and the equivalent CURRENT_USER return the current authorization identifier.
If the database is created without supplying a user (this is possible only if authentication is not enabled), the Database Owner is set to the default authorization identifier, "APP", which is also the name of the default schema. See "SET SCHEMA statement" in the Derby Reference Manual for details.
The Database Owner has automatic SQL level permissions when SQL authorization is enabled. For more information, see Configuring fine-grained user authorization.
To further enhance security, when both authentication and SQL authorization are enabled for a database, Derby restricts some special powers to the Database Owner: only the Database Owner is allowed to shut down the database, to encrypt or reencrypt the database, or to perform a full upgrade of the database. These powers cannot be delegated.