DYNAMICRULES(BIND) option authorization

The DYNAMICRULES(BIND) option provides the flexibility for you to specify the owner of a plan or a package that Db2 checks for the required authorization for dynamic SQL statements.

Begin program-specific programming interface information. Because RACF® does not support secondary IDs, you can use Db2 roles to exploit this flexibility. To use Db2 roles with the DYNAMICRULES(BIND) option, the owner of the plan or package must be a Db2 role. Similarly, for the define and invoke behavior of the DYNAMICRULES BIND options, the definer or invoker must be a Db2 role. In order to make the owner of the plan, package, or stored procedure a Db2 role, you need to create the plan, package, or stored procedure in a trusted context that is defined with the ROLE AS OBJECT OWNER AND QUALIFIER clause.

AUTHEXIT_CHECK subsystem parameter

An alternative is to set the AUTHEXIT_CHECK system parameter to DB2. With that setting in effect, Db2 provides the ACEE of the package owner to perform authorization checking when processing the autobind, BIND and REBIND commands. Db2 provides the ACEE of the authorization ID as determined by the DYNAMICRULES option to perform dynamic SQL authorization checking. The access control authorization exit uses the ACEE for XAPLUCHK for authorization checking. The XAPLUCHK authorization ID can be a user or a group in RACF. To ensure successful authorization checks with the owner ACEE, the owner authorization ID in XAPLUCHK must be permitted access to the resources in RACF. End program-specific programming interface information.