Database owner

The term database owner refers to the current authorization identifier when the database is created, that is, the user creating the database. If you use NATIVE authentication, or if you manually enable or plan to enable SQL authorization, controlling the identity of the database owner becomes important.

When a database is created, the database owner of that database gets implicitly set to the authorization identifier used in the connect operation which creates the database, for example by supplying the URL attribute "user". Note that this applies even if authentication is not (yet) enabled. In SQL, the built-in functions USER and the equivalent CURRENT_USER return the current authorization identifier.

If the database is created without supplying a user (only possible if authentication is not enabled), the database owner gets set to the default authorization identifier, "APP", which is also the name of the default schema, see the section "SET SCHEMA statement" in the Derby Reference Manual.

The database owner has automatic SQL level permissions when SQL authorization is enabled, see more about this in User authorizations.

To further enhance security, when both authentication and SQL authorization are enabled for a database, Derby restricts some special powers to the database owner: only the database owner is allowed to shut down the database, to encrypt or reencrypt the database or to perform a full upgrade of it. These powers can not be delegated.

Attention: There is currently no way of changing the database owner once the database is created. This means that if you plan to run with SQL authorization enabled, you should make sure to create the database as the user you want to be the owner.
Related concepts
Authorization identifiers, user authentication, and user authorization
User names and schemas
Related reference
Exceptions when using authorization identifiers