Authorization IDs

Every process that connects to or signs on to Db2 is represented by one or more Db2 short identifiers (IDs), which are called authorization IDs. Authorization IDs are assigned to a process by default procedures or by user-written exit routines.

When authorization IDs are assigned, every process receives exactly one ID that is called the primary authorization ID. All other IDs are secondary authorization IDs. Furthermore, one ID (either primary or secondary) is designated as the current SQL ID. You can change the value of the SQL ID during your session.

Role
A role is available within a trusted context. You can define a role and assign it to authorization IDs in a trusted context. When associated with a role and using the trusted connection, an authorization ID inherits all the privileges that are granted to that role.
Primary authorization ID
Generally, the primary authorization ID identifies a process. For example, in a process that is initiated through the TSO attachment facility, the primary authorization ID is identical to the TSO logon ID. As another example, statistics and performance trace records use a primary authorization ID to identify a process.
Secondary authorization ID
A secondary authorization ID, which is optional, can hold additional privileges that are available to the process. For example, a secondary authorization ID can be a Resource Access Control Facility (RACF®) group ID.
SQL ID
An SQL authorization ID (SQL ID) holds the privileges that are exercised when a process issues certain dynamic SQL statements. The SQL ID can be set equal to the primary ID or any of the secondary IDs. If an authorization ID of a process has the SYSADM authority and the SEPARATE SECURITY subsystem parameter is set to NO, the process can set its SQL ID to any authorization ID. If SEPARATE SECURITY is set to YES, the SYSADM authority can set its SQL ID to one of the secondary IDs only. This rule applies even when SET CURRENT SQLID is a static statement. CURRENT SQLID cannot be set to a role.
RACF ID
The RACF ID is generally the source of the primary and secondary authorization IDs (RACF groups). When you use the RACF Access Control Module or multilevel security, the RACF ID is used directly.