IBM Support

IT35270: Authorization errors in accessing CGTTs after a transfer owner of a SQL routine.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When transferring ownership of a SQL procedure or function,  the
    owner of the underlying package is also transfered. However,
    while the object ownership is correct in the catalogs,the old
    owner was incorrectly not updated in the package cache memory.
    If a user tries to call a transferred procedure that accesses a
    CGTT, incremental bind will occur - i.e. the statement is
    compiled at runtime. As a result of the out of synch information
    in the cache, Db2 will check the privileges on the CGTT for the
    OLD owner of the SP instead of the new owner. In such a case,
    unexpected authorization errors may occur.
    
    Here are the steps to reproduce the issue:
    1) USERA creates a CGTT
    2) UserB creates a SP which selects CGTT(it has correct
    privileges on the CGTT)
    3) UserB grant execute on the SP to UserC
    4) UserC calls SP without any error
    5) UserB transfers the ownership of SP to UserA
    6) UserC calls SP without any error
    7) revoke privileges on the CGTT from UserB
    8) UserC calls SP with error -727, reason code "5 -551 42501
    USERB|SELECT|MY.TEMP_TABLE"    # MY.TEMP_TABLE is the CGTT
    

Local fix

  • Rebind the package for the store procedure, or reactivation the
    database.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * all                                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * IT35270                                                      *
    ****************************************************************
    

Problem conclusion

  • IT35270
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT35270

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    B10

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-12-14

  • Closed date

    2022-04-16

  • Last modified date

    2022-04-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IT35294

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • RB10 PSN

       UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
03 May 2022