Establishing plan and package ownership in a trusted context
You can issue the BIND and REBIND commands in a trusted context with the ROLE AS OBJECT OWNER clause to specify the ownership of a plan or package. In this trusted context, you can specify only a role, not an authorization ID, as the OWNER of a plan or package.
If
you specify the OWNER option, the specified role becomes the owner
of the plan or package. If you don't specify the OWNER option, the
role that is associated with the binder becomes the owner. If the
ROLE AS OBJECT OWNER clause is omitted for the trusted context, the
current rules for plan and package ownership apply.
Considerations: If you want a role to own the package at the remote Db2, you need to define the role ownership in the trusted context at the remote server. Make sure to establish the connection to the remote Db2 as trusted when binding or re-binding the package at the remote server.
If you specify the OWNER option in a trusted connection during the remote BIND processing, the outbound authorization ID translation is not performed for the OWNER.
If the plan owner is a role and the
application uses a package bound at a remote Db2 for z/OS® server,
the privilege of the plan owner to execute the package is not considered
at the remote Db2 server. The
privilege set of the authorization ID (either the package owner or
the process runner determined by the DYNAMICRULES behavior) at the Db2 for z/OS server must have the EXECUTE privilege
on the package at the Db2 server.