JR34198: AN INCORRECT AUTHORIZATION ID WAS REPORTED IN SQLCODE -20402 WITH LBAC SECURITY ENABLED.

DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 7 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows

APAR status

• Closed as program error.

Error description

• In a LBAC security setup when a user does not have the proper
  authority to the operations SQL20402n error is reported with the
  previous user id rather than the actual user id.
  
  Here is a test case.
  Setup:
  user instuser: instance owner
  user appuser: simple user
  user secadm: setup as secadm
  
  CREATE SECURITY LABEL COMPONENT TESTSECLEVEL ARRAY ['TOP
  SECRET', 'SECRET', 'CONFIDENTIAL', 'RESTRICTED', 'PUBLIC'];
  CREATE SECURITY POLICY SECPOLICYTEST COMPONENTS TESTSECLEVEL
  WITH DB2LBACRULES;
  CREATE SECURITY LABEL SECPOLICYTEST.PUBLIC COMPONENT
  TESTSECLEVEL 'PUBLIC';
  GRANT SECURITY LABEL SECPOLICYTEST.PUBLIC TO USER appuser;
  CREATE TABLE TEST.TMP_TABLE (COL1 varchar(20) ,COL2
  varchar(20),COL_ROWSECLABEL DB2SECURITYLABEL)SECURITY POLICY
  SECPOLICYTEST;
  GRANT ALL ON TEST.TMP_TABLE TO PUBLIC;
  
  As appuser, insert into temp table worked:
  appuser @ chiana : /home/appuser
  $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
  '33')"
  DB20000I  The SQL command completed successfully.
  
  
  As instance insert a row and receive the error about not having
  authorization
  
  instuser @ chiana : /home/instuser
  $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
  '33')"
  DB21034E  The command was processed as an SQL statement because
  it was not a
  valid Command Line Processor command.  During SQL processing it
  returned:
  SQL20402N Authorization ID "INSTUSER" does not have the LBAC
  credentials to
  perform the "INSERT" operation on table "TEST.TMP_TABLE".
  SQLSTATE=42519
  
  
  Then when tried as SECADM, but instead of it reporting SECADM
  not having auth,  gets the instance owner again:
  secadm @ chiana : /home/secadm
  $ db2 connect to P16506
  
     Database Connection Information
  
   Database server        = DB2/LINUX 9.1.5
   SQL authorization ID   = SECADM
   Local database alias   = P16506
  
  
  secadm @ chiana : /home/secadm
  $ db2 "INSERT INTO TEST.TMP_TABLE (col1, col2) VALUES ('33',
  '33')"
  DB21034E  The command was processed as an SQL statement because
  it was not a
  valid Command Line Processor command.  During SQL processing it
  returned:
  SQL20402N Authorization ID "INSTUSER" does not have the LBAC
  credentials to
  perform the "INSERT" operation on table "TEST.TMP_TABLE".
  SQLSTATE=42519
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * ALL                                                          *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * SQL20402n error when using LBAC security.                    *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Upgrade to DB2 Version 9.5 fix pack 6 or later.              *
  ****************************************************************
  

Problem conclusion

• First Fixed in DB2 Version 9.5 fix pack 6
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  IC66032

Fix information

• Fixed component name

  DB2 UDB ESE WIN

• Fixed component ID

  5765F4101

Applicable component levels

• R950 PSY

     UP