Start of change



Authorization ID auth-id attempted to perform operation on object object-name without having been granted the proper authority to do so. This error might also occur if the object is a read-only view (for insert, delete, or update data change operation), or if auth-id is trying to create a table or view with an authorization ID other than its own.

You can create a table from an auth-id other than your own only if your authorization ID is SYSADM, DBADM, or DBCTRL. You can create a view from an auth-id other than your own only if your authorization ID is SYSADM.

If you are using a trusted context, the token auth-id might return a role instead of an authorization ID. A role is returned if a role was in effect and the authorization checking is performed against the role, rather than the authorization ID of the session, when the condition was encountered. Otherwise an authorization ID is returned. A role is returned in the following format as a single token:
  • ROLE: role-name

    If you use the RACF® access control module for authorization checking, auth-id might be different from the value that is reported in message ICH408I. The ID that is reported in message ICH408I is the user ID that RACF used to check the privilege.

In addition to the situations mentioned previously, this error can occur for the following situations:

  • When operation is GRANT ***, the keyword ALL was used in the GRANT statement, but the grantor auth-id does not have any privilege to grant.
  • When operation is GRANT (table or view privileges) and the specified privilege cannot be granted on a view or auxiliary table.
  • If operation is DROP PACKAGE, the object-name consists of the collection ID, the package name, and the consistency token. The consistency token uniquely identifies the version of the package that the user does not have authorization to drop.
  • If operation is USAGE OF DISTINCT TYPE or USAGE OF JAR, the object-name identifies, respectively, the DISTINCT TYPE or JAR for which the auth-id lacks USAGE privilege.
  • If operation is ALTER JAR, the auth-id lacks ALTERIN privilege on the schema of the JAR object-name.
  • If this error occurs while DB2® is creating or altering a table that involves referential constraints, this error message reports that the user does not have the necessary ALTER privilege to perform a FOREIGN KEY, DROP FOREIGN KEY, DROP PRIMARY KEY, or DROP UNIQUE operation. The object-name identifies the object table of the CREATE or ALTER TABLE statement, not the table for which the user lacks the ALTER privilege.
  • If this error occurs for a distributed SQL request, one of the following conditions can occur:
    • If authorization ID translation is in effect for either the requesting DB2 site or the serving (responding) DB2 site, then auth-id is the translated authorization ID. Refer to Part 3 (Volume 1) of the DB2 Administration Guide for information on authorization ID translation.
    • If an alias name was used in the SQL statement, the object-name is the resolved remote table name or view name.
  • If this error occurs during invocation of a routine, the authorization ID auth-id does not have the EXECUTE privilege on any candidate routine in the SQL path. The variable for object-name is the name of a candidate routine in the SQL path.
  • An object does not exist, and the CURRENT RULES special register is set to STD.
  • If the access control authorization exit routine is active and the authorization ID of the process does not have the necessary privileges, this error might occur for packages that are bound with the DYNAMICRULES(BIND) option when authorization caching, statement caching, or both are enabled.

System action

The statement cannot be processed.

Programmer response

To correct the error, verify the following situations:
  • The auth-id has the authority to perform the operation.
  • The object-name exists.
  • The auth-id is not trying to create a table with a schema qualifier that is not the same as auth-id.



End of change