How secondary roles are used during the switching of users of trusted connections

You can define secondary roles in a trusted context definition. The secondary roles are used only for users that are switched in a trusted connection.

Db2 considers secondary roles in the following environments:

When Db2 native authorization is used, in a similar way to secondary authorization checking.
During a search of the plan authorization cache, package authorization cache, routine authorization cache, or dynamic statement cache.
When the VERIFY_ROLE_FOR_USER built-in function is executed.

Users can be permitted access to multiple profiles in RACF or an equivalent z/OS® security product. To set up secondary roles, you perform the following actions in a CREATE TRUSTED CONTEXT or ALTER TRUSTED CONTEXT SQL statement, using the EXTERNAL SECURITY PROFILE clause:

Specify multiple security profiles to which users have access
Associate a different role with each of those security profiles

For example, suppose that user ADMF002 has been permitted access to PROFILE1 and PROFILE2 in RACF.

Now suppose that you execute the following CREATE TRUSTED CONTEXT statement:

CREATE TRUSTED CONTEXT CTX1 
   BASED UPON CONNECTION USING SYSTEM AUTHID ADMF001
   NO DEFAULT ROLE 
   ENABLE ATTRIBUTES (JOBNAME 'DB2PROD') 
   WITH USE FOR 
    EXTERNAL SECURITY PROFILE PROFILE1 ROLE SECROLE_1, 
    EXTERNAL SECURITY PROFILE PROFILE2 ROLE SECROLE_2;

The statement specifies that a user with access to external security profile PROFILE1 is associated with role SECROLE_1, and a user with access to external security profile PROFILE2 is associated with role SECROLE_2.

After a trusted connection is established for system authorization ID ADMF001 and job name DB2PROD, when a switch user request is issued to use the trusted connection under authorization ID ADMF002, ADMF002 can receive additional privileges from roles SECROLE_1 and SECROLE_2, which are associated with profiles PROFILE1 and PROFILE2.