Start of change

BIND SERVICE subcommand (DSN)

The BIND SERVICE (DSN) subcommand builds an application package that represents a Db2 REST service. Db2 records the description of the service in the catalog tables and saves the prepared package in the directory.

Environment

You can issue BIND SERVICE from a DSN session under TSO that runs in the foreground or background.

Data sharing scope: Group

Authorization

The package owner must have the required authorization, such as SYSADM or DATAACCESS authority, to execute the SQL statement embedded in a package and to build the package.

If BIND SERVICE is issued in a trusted context defined with the ROLE AS OBJECT OWNER clause, the package owner must be a role with the role ownership to execute the command. If the OWNER option of the command is specified, the owner will be assumed a role. If the OWNER option is not specified, the role of the binder becomes the owner. If the trusted context is not specified with the ROLE AS OBJECT OWNER clause, the current rules for BIND ownership apply.

For VALIDATE(BIND), Db2 verifies the authorization at bind time. For VALIDATE(RUN), Db2 verifies the authorization initially at bind time, but if the authorization check fails, Db2 rechecks it at run time. The following table summarizes the authorization required for running BIND SERVICE, depending on the bind options that you specify and, in the case of the ACTION (ADD) option, the value of the BIND NEW PACKAGE field on installation panel DSNTIPP1:

Table 1. Required privileges for BIND SERVICE options
Bind option Installation panel field BIND NEW PACKAGE (BINDNV subsystem parameter) Authorization required to run BIND PACKAGE
ADD, using the default owner or primary authorization ID BINDADD The primary authorization ID or role must have one of the following to add a new package to a collection:
  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
ADD, using the default owner or primary authorization ID BIND The primary authorization ID or role must have one of the following to add a new package to a collection:
  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
  • PACKADM authority on the collection or on all collections
  • The BIND package privilege
ADD, specifying an OWNER other than the primary authorization ID1 BINDADD

If any of the authorization IDs or roles of the process has SYSADM authority, SYSCTRL authority, or system DBADM authority, OWNER authorization-id can be any value, when subsystem parameter SEPARATE_SECURITY is set to NO. If any of the authorization IDs has the BINDAGENT privilege granted from the owner, authorization-id can specify the grantor as OWNER. Otherwise, the OWNER authorization-id must be one of the primary or secondary authorization IDs of the binder.

If you specify OWNER authorization-id , Db2 first checks the OWNER and then the binder for the necessary bind privilege.

If the binder does not have SYSADM, SYSCTRL, or system DBADM authority, the authorization ID or role of the OWNER must have one of the following to add a new package to a collection:

  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
ADD, specifying an OWNER other than the primary authorization ID1 BIND

If any of the authorization IDs or roles of the process has SYSADM authority, SYSCTRL authority, or system DBADM authority, OWNER authorization-id can be any value, when subsystem parameter SEPARATE_SECURITY is set to NO. If any of the authorization IDs has the BINDAGENT privilege granted from the owner, authorization-id can specify the grantor as OWNER. Otherwise, the OWNER authorization-id must be one of the primary or secondary authorization IDs of the binder.

If you specify OWNER authorization-id , Db2 first checks the OWNER and then the binder for the necessary bind privilege.

If the binder does not have SYSADM, SYSCTRL, or system DBADM authority, the authorization ID or role of the OWNER must have one of the following to add a new package to a collection:

  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
  • PACKADM authority on the collection or on all collections
  • The BIND package privilege
Note:
  1. If both the OWNER and the binder do not have the necessary bind privilege and the IFCID 140 trace is active, a trace record is written with details about the authorization failure.

Syntax

Read syntax diagramSkip visual syntax diagram BIND SERVICE (location-name.1 collection-id)name-blockDESCRIPTION(description-string)OWNER(authorization-id) QUALIFIER( qualifier-name) ACTION(ADD)CURRENTDATA(NO)DEFER(PREPARE)NODEFER(PREPARE)DEGREE(1ANY) DESCSTAT(YES)ENCODING(UNICODE)SQLERROR(NOPACKAGE)EXPLAIN(NOYES)GETACCELARCHIVE(NOYES)IMMEDWRITE(NOYES)ISOLATION(CSRRRSURNC)REOPT(NONE2ALWAYS3ONCEAUTO)OPTHINT( ' hint-id' )ACCELERATOR( ' accelerator-name' )ACCELERATIONWAITFORDATA( ' nnnn.m' )PATH(,schema-nameUSER)ROUNDING(CEILINGDOWNFLOORHALFDOWNHALFEVENHALFUPUP)QUERYACCELERATION(NONEENABLEENABLEWITHFAILBACKELIGIBLEALL)RELEASE(COMMITDEALLOCATE) VALIDATE(RUNBIND)CONCURRENTACCESSRESOLUTION(USECURRENTLYCOMMITTEDWAITFOROUTCOME) APREUSE(NONEERRORWARN) APCOMPARE(NONEWARNERROR)BUSTIMESENSITIVE(YESNO)SYSTIMESENSITIVE(YESNO)ARCHIVESENSITIVE(YESNO)APPLCOMPAT( applcompat-level)
Notes:
  • 1 The location name can only be specified when the COPY option is specified.
  • 2 NOREOPT(VARS) can be specified as a synonym of REOPT(NONE)
  • 3 REOPT(VARS) can be specified as a synonym of REOPT(ALWAYS)

name-block

Read syntax diagramSkip visual syntax diagramNAME( service-name)VERSION(version-id)SQLDDNAME( ddname)SQLENCODING(EBCDICASCIIUNICODEccsid)DATE(EURISOJISLOCALUSA)TIME(EURISOJISLOCALUSA)DEC(1531)DECDEL(PERIODCOMMA)STRDEL(APOSTROPHEQUOTE)COPY( collection-id.service-name)COPYVER( version-id)OPTIONS(COMPOSITECOMMAND)

Descriptions

Start of change
location-name

The location of the DBMS where the Db2 REST service is bound and its description resides. The location name must be defined in the SYSIBM.LOCATIONS catalog table. If that table does not exist or if the DBMS is not in it, you receive an error message. See LOCATIONS catalog table.

The default is the local DBMS.

collection-id
Specifies the collection to contain the package for the REST service. There is no default.

collection-id can be an ordinary or a delimited identifier. The delimiter for collection-id is double quotation marks ("). If collection-id is delimited, Db2 does not convert the value to uppercase.

If the collection-id value for a REST service is a delimited identifier, it can contain these characters:

  • A–Z
  • a–z
  • 0–9
  • _ @ # $
End of change

For descriptions of the other options shown in the syntax diagram, see BIND and REBIND options for packages, plans, and services.

Usage notes

Trace information for data sharing members
When this command with group scope is issued in a Db2 data sharing member, it also runs on all other active members. IFICID 090 trace records for other group members can show that the same command was issued by the SYSOPR authorization ID from the 016.TLPKN5F correlation ID, in addition to the trace records from the member where the original command was issued. See Command scope in Db2 data sharing.
End of change