Comparing original authorization IDs with primary authorization IDs
This information explains the difference between original authorization ID and primary authorization ID.
Original authorization ID
During connection to Db2 (either by IDENTIFY or SIGNON), an initial authorization value is passed to the connection exit. This value becomes the original authorization ID.
For IDENTIFY:
- If RACF® is active, this value is the verified user ID.
- If RACF is not active, this value is blank.
For IMS SIGNON:
- If RACF is active, this value is the terminal user ID.
- If RACF is not active, this value is either the LTERM name or the PSB name.
For CICS® SIGNON:
- This value is determined by the user-defined CICS resource control table (RCT). The connection (authorization) exit can be either the IBM® supplied default or user-written, depending upon whether secondary authorization IDs are used.
Primary authorization ID
The primary authorization ID is the value set by the exit. This value is determined according to the following criteria:
- Whether it is an IDENTIFY or a SIGNON
- Whether RACF is active or inactive
- Whether the exit is IBM supplied or user-written
- Whether secondary IDs are being used
Default values can be any of the following:
- The TSO logon ID
- The value of the USER field on the JOB statement
- A default value specified when you install DB2
- The original (unaltered) value
- The original authorization ID should be used when you attempt to establish accountability of DB2 activity, because the primary authorization ID can be an ID other than the user (group name, for example).
- If your subsystem uses authorization ID translation for distributed activity, the AUTHID reported for DBATs is the translated value.
Comparing secondary IDs with SQL ID
Db2 uses two other types of authorization IDs:
- Secondary authorization IDs
- SQL ID
If secondary IDs are used, a user-written authorization exit is also required. A secondary list can contain from 1 to 245 secondary IDs. This list is accessed when you establish the primary authorization ID or the SQL authorization ID.
The primary ID and the SQL ID are set during either IDENTIFY or SIGNON. However, only the SQL ID can be changed after connection by the SET CURRENT SQLID statement.
The SQL ID must be either the primary ID or one of the secondary IDs. It is used for implicit name qualifiers, implicit ownership assignment, and GRANT/REVOKE authorization checking.
For more detailed information about authorization IDs, see the IBM Knowledge Center.