Checking authorization at a Db2 database server

A remote requester, either a Db2 for z/OS® server or other requesting system, runs a package at the Db2 intermediate server. Db2 checks for the privileges that are required for service requests.

About this task

Begin general-use programming interface information.As shown in the following diagram, a statement in the package uses an alias or a three-part name to request services from a Db2 database server.

Figure 1. Execution at a second Db2 server
Begin figure description. Execution at a second DB2 server. End figure description.

The ID that is checked for the required privileges to run at the Db2 database server can be:

  • The owner of the plan, if not a role, that is running at the requester site (if the requester is Db2 for z/OS)

    If the owner of the plan is a role and the application uses a package bound at a remote Db2 for z/OS server, the authorization ID at the Db2 for z/OS server must have the EXECUTE privilege on the package at the Db2 server. The authorization ID can be the package owner or the process runner that is determined by the DYNAMICRULES behavior.

  • The owner of the package that is running at the Db2 server

In addition, if a remote alias is used in the SQL statement, the alias must be defined at the requester site. The ID that is used depends on the following factors:

  • Whether the requester is a Db2 for z/OS server or a different system
  • The value of the DYNAMICRULES bind option
  • Whether the SQL statement that is executed at the Db2 database server is static or dynamic