Topic
7 replies Latest Post - ‏2013-02-26T16:13:35Z by efra9999
efra9999
efra9999
11 Posts
ACCEPTED ANSWER

Pinned topic Question on granting privileges on DB2 packages

‏2013-02-06T13:45:54Z |
I was confused a bit on when or if ever I need to grant privileges to a package.

I have a plan that I granted execute priv's to a certain auth id. I created a package in the PKLIST that the plan is bound to. I DIDN'T grant that same auth id execute priv's on the package and was able to successfully execute it.

When I look at the package in syspackauth, the grator and grantee is the auth id that created the package. No entry for the auth id that was able to successfully execute it.

I don't understand why I wouldn't have to grant execute on the package to the id (other than the creator) for it to be able to use it.

Can someone confirm why? I'm guessing that granting execute to the plan may give any underlying package in that pklist the appropriate authority without having to grant it at the package level?

Thanks so much,
Ed
Updated on 2013-02-26T16:13:35Z at 2013-02-26T16:13:35Z by efra9999
  • SystemAdmin
    SystemAdmin
    3105 Posts
    ACCEPTED ANSWER

    Re: Question on granting privileges on DB2 packages

    ‏2013-02-21T08:14:03Z  in response to efra9999
    The userid BINDING the PLAN need the auth on the PACKAGES to enable the bind comlete successfully.
    • efra9999
      efra9999
      11 Posts
      ACCEPTED ANSWER

      Re: Question on granting privileges on DB2 packages

      ‏2013-02-21T13:02:38Z  in response to SystemAdmin
      I appreciate the reply, but my question was specific to granting EXECUTE priv's. I'm still unclear on whether that's needed at the package level if the userid that would execute the plan has authority on the plan.
      • SystemAdmin
        SystemAdmin
        3105 Posts
        ACCEPTED ANSWER

        Re: Question on granting privileges on DB2 packages

        ‏2013-02-25T09:34:20Z  in response to efra9999
        The user BINDING the plan must have execute auth on the packages in the PKLIST for successfull BIND command.
        From the DB2 Boks it seems that the other use of the EXECUTE package auth is for remote. if the package is used by a remote request the remote user need EXECUTE priviliges on the package. I have no experience on this issue.
        tamar.
        • SystemAdmin
          SystemAdmin
          3105 Posts
          ACCEPTED ANSWER

          Re: Question on granting privileges on DB2 packages

          ‏2013-02-25T09:37:27Z  in response to SystemAdmin
          forgot to mention the users that has EXECUTE auth on the PLAN do not need EXECUTE privilage on the packages used by the PLAN.
          Tamar.
          • efra9999
            efra9999
            11 Posts
            ACCEPTED ANSWER

            Re: Question on granting privileges on DB2 packages

            ‏2013-02-25T15:42:38Z  in response to SystemAdmin
            Ah, thanks Tamar - the confirmation on the execute permissions at the package level is what I was looking for. I appreciate the response.
            • SystemAdmin
              SystemAdmin
              3105 Posts
              ACCEPTED ANSWER

              Re: Question on granting privileges on DB2 packages

              ‏2013-02-26T15:40:35Z  in response to efra9999
              besides remote connections access, one would need execute authority on a package that was created to server a native SQL stored procedure.
              In order to execute such Stored Procedures, one needs execute auth on the package, as well as on the procedure
              • efra9999
                efra9999
                11 Posts
                ACCEPTED ANSWER

                Re: Question on granting privileges on DB2 packages

                ‏2013-02-26T16:13:35Z  in response to SystemAdmin
                Thanks for the info Momi. We do have some native SP's, but for those we are already dealing with packages that get created when the native SP gets created.

                The reason for my initial post is for the reason that we are finally converting our plans with dbrm's bound directly to them to pklist based plans and then creating packages for all of the dbrm's. I wanted to ensure that we would have no issues executing the packages and it sounds like we won't as the authorization is handled at the plan level which is already in place.

                I appreciate the additional info.