IBM Support

IT22589: DB2AUDIT IS NOT REPORTING SQL0551N WHEN A USER WITH INSUFFICIENTAUTHORIZATION ATTEMPTS TO CALL A PROCEDURE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Steps to reproduce this issue:
    
    > db2 connect to sample user db2admin
    > db2 create table rvol.tab1 (id integer) in userspace1
    > db2 "create procedure rvol.proc1() begin insert into rvol.tab1
    values
    (1); end"
    
    
    > db2 create audit policy CHECKINGPOLICY categories checking
    status failure error type normal
    > db2 audit user test using policy CHECKINGPOLICY
    
    > db2 connect reset
    > db2 connect to sample user test
    
    
    > db2 select * from RVOL.tab1
    SQL0551N  The statement failed because the authorization ID does
    not
    have the required authorization or privilege to perform the
    operation.
    Authorization ID: "TEST".  Operation: "SELECT". Object:
    "RVOL.TAB1".
    SQLSTATE=42501
    
    > db2 call rvol.proc1()
    SQL0551N  The statement failed because the authorization ID does
    not
    have the required authorization or privilege to perform the
    operation.
    Authorization ID: "TEST".  Operation: "EXECUTE". Object:
    "RVOL.PROC1". SQLSTATE=42501
    
    > db2 connect reset
    
    
    
    > db2audit archive database sample to C:\temp\auditarchive
    
    > db2audit extract file C\temp\audit\audit.out  from files
    C\temp\auditarchive\*
    
    
    The audit.log does not show any entry for the second -551 error,
    the one
    on the stored procedure.
    
    We only get the info on the table :
    event status=-551;
    object type=TABLE;
    access approval reason=DENIED;
    ...
    
    
    If we drop/recreate the audit, this time with option "checking
    status both", we also get the info on the stored proc in the
    audit.out :
    ...
    event status=0;
    object type=STORED_PROCEDURE;
    access approval reason=DENIED;
    ...
    
    
    The "event status=0" is obvious and surely explains why we do
    not get the event in the audit.log when the status option is set
    to "failure".
    
    Doc says "CREATE AUDIT POLICY statement"
    https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ib
    m.db2.luw.sql.ref.doc/doc/r0050607.html
    
    CHECKING
        Generates records during authorization checking of attempts
    to
    access or manipulate database objects or functions.
    
    FAILURE
        Only failing events will be audited.
    
    
    So, this SQL0551N on the call "call rvol.proc1()" should be
    picked up by the audit.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * ALL                                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to Db2 11.1 Mod 3 Fix Pack 3 or higher               *
    ****************************************************************
    

Problem conclusion

  • First fixed in Db2 11.1 Mod 3 Fix Pack 3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT22589

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    B10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-09-29

  • Closed date

    2018-03-19

  • Last modified date

    2018-03-19

  • APAR is sysrouted FROM one or more of the following:

    IT21177

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • RB10 PSN

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
19 March 2018