This section examines the DB2 SET CURRENT SQLID command and the DB2 for VM CONNECT command. |
In this section: |
The DB2 RDBMS on MVS accepts two types of ID, the primary authorization ID and one or more optional secondary authorization IDs; it also recognizes the CURRENT SQLID setting.
Any interactive user or batch program that accesses a DB2 subsystem is identified by a primary authorization ID. A security system such as RACF® normally provides the ID to DB2. During the process of connecting to DB2, the primary authorization ID may be associated with one or more secondary authorization IDs (usually RACF groups). Each site controls whether it uses secondary authorization IDs. For more information about using the data adapter in conjunction with external security packages, see the MSO Installation and Technical Reference Guide.
The DB2 database administrator (DBA) may grant privileges to a secondary authorization ID that are not granted to the primary ID. Thus, secondary authorization IDs provide the means for granting the same privileges to a group of users. (The DBA associates individual primary IDs with a secondary ID and grants the privileges to the secondary ID.)
The DB2 CURRENT SQLID may be the primary authorization ID or any associated secondary authorization ID. At the beginning of the FOCUS session, the CURRENT SQLID is the primary authorization ID.
You can reset the CURRENT SQLID using the following data adapter command
SQL [DB2] SET CURRENT SQLID = 'sqlid'
where:
Unless you issue the SET OWNERID command described Environmental Commands, the CURRENT SQLID is the implicit owner for unqualified table names and the default owner ID for DB2 objects, such as tables or indices, created with dynamic SQL statements. (For example, the FOCUS CREATE FILE command issues dynamic SQL statements.) The CURRENT SQLID is also the sole authorization ID for GRANT and REVOKE statements. It must have all the privileges needed to create objects and must have GRANT and REVOKE privileges.
Other types of requests, such as FOCUS TABLE (SQL SELECT) and MODIFY (SQL SELECT, INSERT, UPDATE, or DELETE) requests, automatically search for the necessary authorization using the combined privileges of the primary authorization ID and all of its associated secondary authorization IDs, regardless of the DB2 CURRENT SQLID setting.
The CURRENT SQLID setting remains in effect until the communication thread to DB2 is disconnected, when it reverts to the primary authorization ID.
CONNECT authority controls access to the DB2 for VM RDBMS. FOCUS supports both implicit and explicit connection to DB2 for VM.
With the implicit method, your VM userid automatically connects to DB2 for VM when you access the data adapter. This method requires that the DB2 for VM database administrator (DBA) grant CONNECT privileges to either the VM userid or globally (to ALLUSERS). An implicit CONNECT is transparent; it requires no CONNECT command or password.
To CONNECT to DB2 for VM explicitly, issue the following command after entering FOCUS
SQL [SQLDS] CONNECT [ sqlid IDENTIFIED BY password ] [TO dbname]
where:
The CONNECT command allows you to assume the privileges of another DB2 for VM authorization ID. The DB2 for VM database administrator typically uses this technique to distribute privileges to a group of users. If the group connects as the same DB2 for VM authorization ID, the DBA only needs to grant privileges to the group authorization ID and not to the members of the group.
You can include the CONNECT command in a FOCEXEC, such as the PROFILE FOCEXEC, and you can encrypt the FOCEXEC to prevent unauthorized viewing of the DB2 for VM authorization ID and password.
Information Builders |