Fixes are available
APAR status
Closed as program error.
Error description
Steps to reproduce this issue: > db2 connect to sample user db2admin > db2 create table rvol.tab1 (id integer) in userspace1 > db2 "create procedure rvol.proc1() begin insert into rvol.tab1 values (1); end" > db2 create audit policy CHECKINGPOLICY categories checking status failure error type normal > db2 audit user test using policy CHECKINGPOLICY > db2 connect reset > db2 connect to sample user test > db2 select * from RVOL.tab1 SQL0551N The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "TEST". Operation: "SELECT". Object: "RVOL.TAB1". SQLSTATE=42501 > db2 call rvol.proc1() SQL0551N The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "TEST". Operation: "EXECUTE". Object: "RVOL.PROC1". SQLSTATE=42501 > db2 connect reset > db2audit archive database sample to C:\temp\auditarchive > db2audit extract file C\temp\audit\audit.out from files C\temp\auditarchive\* The audit.log does not show any entry for the second -551 error, the one on the stored procedure. We only get the info on the table : event status=-551; object type=TABLE; access approval reason=DENIED; ... If we drop/recreate the audit, this time with option "checking status both", we also get the info on the stored proc in the audit.out : ... event status=0; object type=STORED_PROCEDURE; access approval reason=DENIED; ... The "event status=0" is obvious and surely explains why we do not get the event in the audit.log when the status option is set to "failure". Doc says "CREATE AUDIT POLICY statement" https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ib m.db2.luw.sql.ref.doc/doc/r0050607.html CHECKING Generates records during authorization checking of attempts to access or manipulate database objects or functions. FAILURE Only failing events will be audited. So, this SQL0551N on the call "call rvol.proc1()" should be picked up by the audit.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: * * ALL * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to Db2 11.1 Mod 3 Fix Pack 3 or higher * ****************************************************************
Problem conclusion
First fixed in Db2 11.1 Mod 3 Fix Pack 3
Temporary fix
Comments
APAR Information
APAR number
IT22589
Reported component name
DB2 FOR LUW
Reported component ID
DB2FORLUW
Reported release
B10
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-09-29
Closed date
2018-03-19
Last modified date
2018-03-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DB2 FOR LUW
Fixed component ID
DB2FORLUW
Applicable component levels
RB10 PSN
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
19 March 2018