Managing program authorization

Program authorization lets you control whether a Db2 application program is authorized to use a plan.

Before you begin

Table SYSIBM.DSNPROGAUTH and index SYSIBM.DSNPROGAUTH_IDX1 must exist on your Db2 subsystem. They are created by installation job DSNTIJSG.

About this task

Program authorization is a useful technique when you do not know all of the programs and packages that might use a plan. Program authorization is performed in addition to package authorization.

Restriction:

Programs that run in the following environments do not support program authorization:

• RRSAF applications that issue CREATE THREAD with a collection name, and therefore use the default plan name ?RRSAF
• Multicontext ODBC applications, which use the RRSAF attachment facility and the plan name DSNACLI
• Programs that run in stored procedure address spaces

To enable program authorization:

1. Bind or rebind plans for which you want to enable program authorization with the PROGAUTH(ENABLE) option.
2. Add a row in the SYSIBM.DSNPROGAUTH table for each program and plan combination for which the plan is bound with PROGAUTH(ENABLE). The ENABLED column needs to have the value Y.

   The program name that you need to insert in the row depends on the attachment facility that the program uses to connect to Db2:

   • If the program uses the TSO attachment facility, the program name is the name that you specify in the DSN RUN subcommand.
   • If the program uses the IMS attachment, the program name is the name of the IMS transaction application program.
   • If the program uses any other attachment facility, the program name is the name of the module that is executed first under the job step TCB.

   Job DSNTIJSG contains a sample INSERT statement for a SYSIBM.DSNPROGAUTH row. You can modify the INSERT statement and execute it to add a row for a program and plan.