IBM Support

JR34198: AN INCORRECT AUTHORIZATION ID WAS REPORTED IN SQLCODE -20402 WITH LBAC SECURITY ENABLED.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In a LBAC security setup when a user does not have the proper
    authority to the operations SQL20402n error is reported with the
    previous user id rather than the actual user id.
    
    Here is a test case.
    Setup:
    user instuser: instance owner
    user appuser: simple user
    user secadm: setup as secadm
    
    CREATE SECURITY LABEL COMPONENT TESTSECLEVEL ARRAY ['TOP
    SECRET', 'SECRET', 'CONFIDENTIAL', 'RESTRICTED', 'PUBLIC'];
    CREATE SECURITY POLICY SECPOLICYTEST COMPONENTS TESTSECLEVEL
    WITH DB2LBACRULES;
    CREATE SECURITY LABEL SECPOLICYTEST.PUBLIC COMPONENT
    TESTSECLEVEL 'PUBLIC';
    GRANT SECURITY LABEL SECPOLICYTEST.PUBLIC TO USER appuser;
    CREATE TABLE TEST.TMP_TABLE (COL1 varchar(20) ,COL2
    varchar(20),COL_ROWSECLABEL DB2SECURITYLABEL)SECURITY POLICY
    SECPOLICYTEST;
    GRANT ALL ON TEST.TMP_TABLE TO PUBLIC;
    
    As appuser, insert into temp table worked:
    appuser @ chiana : /home/appuser
    $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
    '33')"
    DB20000I  The SQL command completed successfully.
    
    
    As instance insert a row and receive the error about not having
    authorization
    
    instuser @ chiana : /home/instuser
    $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
    '33')"
    DB21034E  The command was processed as an SQL statement because
    it was not a
    valid Command Line Processor command.  During SQL processing it
    returned:
    SQL20402N Authorization ID "INSTUSER" does not have the LBAC
    credentials to
    perform the "INSERT" operation on table "TEST.TMP_TABLE".
    SQLSTATE=42519
    
    
    Then when tried as SECADM, but instead of it reporting SECADM
    not having auth,  gets the instance owner again:
    secadm @ chiana : /home/secadm
    $ db2 connect to P16506
    
       Database Connection Information
    
     Database server        = DB2/LINUX 9.1.5
     SQL authorization ID   = SECADM
     Local database alias   = P16506
    
    
    secadm @ chiana : /home/secadm
    $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
    '33')"
    DB21034E  The command was processed as an SQL statement because
    it was not a
    valid Command Line Processor command.  During SQL processing it
    returned:
    SQL20402N Authorization ID "INSTUSER" does not have the LBAC
    credentials to
    perform the "INSERT" operation on table "TEST.TMP_TABLE".
    SQLSTATE=42519
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * ALL                                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * SQL20402n error when using LBAC security.                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Upgrade to DB2 Version 9.5 fix pack 6 or later.              *
    ****************************************************************
    

Problem conclusion

  • First Fixed in DB2 Version 9.5 fix pack 6
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR34198

  • Reported component name

    DB2 UDB ESE WIN

  • Reported component ID

    5765F4101

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-09-03

  • Closed date

    2010-09-09

  • Last modified date

    2010-09-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC66032

Fix information

  • Fixed component name

    DB2 UDB ESE WIN

  • Fixed component ID

    5765F4101

Applicable component levels

  • R950 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"950","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
09 September 2010