Security release incompatibilities

When you migrate to or apply maintenance in Db2 12, be aware of security release incompatibilities that might affect your Db2 environment.

Start of changeThe following incompatible changes apply at any Db2 12 function level, including when you first migrate to Db2 12. For incompatible changes that might impact your Db2 12 environment when you activate function levels 501 and higher, see Incompatible changes summary for function levels 501 and higher.End of change

Change to RACF long object resource names

For UPDATE and REFERENCES operations on tables, table-qualifiers and table-names are each truncated at 100 characters. The column-name is truncated at 30 characters.

When you use long object names for UPDATE and REFERENCES operations, along with discrete RACF® profiles, truncation can cause unintended results. If truncation occurs, a single discrete profile might inadvertently protect multiple resources if the resources are similarly named, the first 100 characters of the schema names are identical, and the qualified object names, such as the table name, subsystem name, or privilege name, are also identical.

Actions to take

Review the RACF profiles for long table names for UPDATE and REFERENCES operations, and update those profiles, as needed.

Changes to the authorization check of the UNLOAD utility

After the activation of function level 500 or higher, Db2 checks for the new UNLOAD privilege, instead of the SELECT privilege, for executing the UNLOAD utility and UNLOAD jobs might fail due to authorization errors.

Db2 checks the new UNLOAD privilege for authorization of the UNLOAD utility. You must use a privilege set that includes one of the following to execute the UNLOAD utility:

  • Ownership of the tables
  • UNLOAD privilege on the tables
  • SELECT privilege on the tables (if the AUTH_COMPTIBILITY subsystem parameter is set to SELECT_FOR_UNLOAD)
  • DBADM authority for the database. If the object on which the utility operates is in an implicitly created database, DBADM authority on DSNDB04 or the implicitly created database is sufficient.
  • DATAACCESS authority
  • SYSADM authority
  • SYSCTRL authority (catalog tables only)
  • SQLADM authority (catalog tables only)
  • System DBADM authority (catalog tables only)
  • ACCESSCTRL authority (catalog tables only)
  • SECADM authority (catalog tables only)

When an UNLOAD job is run by a user with only the SELECT privilege on the target table, the UNLOAD job fails with message DSNU1253I.

Actions to take

Take any of the following actions:

  • Before migration to Db2 12, run job DSNTIJPM, and follow the steps in premigration report 19 to determine which authorization IDs might need the UNLOAD privilege.
  • In Db2 11 or Db2 12, start a trace for IFCID 404 to identify the users who need the UNLOAD privilege. Then, in Db2 12 at function level 100, grant the UNLOAD privilege to those users.
  • As a temporary solution, set the AUTH_COMPATIBILITY subsystem parameter to SELECT_FOR_UNLOAD so that the SELECT privilege continues to be checked when the UNLOAD utility runs. For more information, see AUTH_COMPATIBILITY in macro DSN6SPRM.