Performing tasks on objects for other users

If you have DBADM authority, you can assume the identity of other users within a trusted context and perform tasks on their behalf.

About this task

After you successfully assume the identity of a view owner, you inherit all the privileges from the ID that owns the view and can therefore perform the CREATE, DROP, and GRANT actions on the view.

Procedure

To perform tasks on behalf of another user:

  1. Define a trusted context.
    Make sure that the SYSTEM AUTH ID is the primary authorization ID that you use in SPUFI.
  2. Specify the primary authorization ID as the JOBNAME for the trusted connection.
  3. Specify the primary authorization ID of the user whose identity you want to assume.
  4. Log onto TSO with your primary authorization ID.
  5. Set the ASUSER option on the DB2I DEFAULTS panel to the primary authorization ID of the user whose identity you want to assume.
  6. Perform the actions that you want by using the privileges of the specified user.

Example

For example, assume that you have DBADM authority, your primary authorization ID is BOB, and you want to drop a view that is owned by user SALLY. You can issue the following statement to create and enable a trusted context called CTXLOCAL in which BOB can drop the selected view on SALLY's behalf:

CREATE TRUSTED CONTEXT CTXLOCAL
	BASED UPON CONNECTION USING SYSTEM AUTHID BOB
	ATTRIBUTES (JOBNAME 'BOB')
	ENABLE
	WITH USE FOR SALLY;

After logging onto TSO, you can set the ASUSER option to SALLY in the DB2I DEFAULTS panel and invoke SPUFI to process SQL statements. Db2 obtains the primary authorization ID BOB and JOBNAME BOB from the TSO logon session, authenticates BOB, searches for the matching trusted context (CTXLOCAL), and establishes a trusted connection. Db2 then authenticates the primary authorization ID SALLY and validates all privileges that are assigned to SALLY. After successful authentication and validation, you, BOB, can drop the view that is owned by SALLY.