PI90709: SECURITY VIOLATION/ADB5146E RUNNING ADBTEP2 WHEN LACKING ACCESS TO GLOBAL VARIABLES GET_ARCHIVE AND MOVE_TO_ARCHIVE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• A user running batch program ADBTEP2 needs access to read and
  set global variables SYSIBMADM.GET_ARCHIVE and
  SYSIBMADM.MOVE_TO_ARCHIVE.  If the user running the job does
  not have access, a security violation may result, such as the
  following:
  ADB5146E Unexpected SQLCODE -551 in
  :SET SYSIBMADM.GET_ARCHIVE = 'N'
  This fix changes the SQL accessing these global variables from
  dynamic to static, so that only the package owner is required
  to have access to these variables.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of the DB2 Administration Tool         *
  *                 for z/OS or DB2 Object Comparison            *
  *                 Tool for z/OS.                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: Running a WSL by a job submitter        *
  *                      who does not have read or write         *
  *                      privileges on built-in global variable  *
  *                      SYSIBMADM.GET_ARCHIVE or                *
  *                      SYSIBMADM.MOVE_TO_ARCHIVE               *
  *                      may result in an authorization          *
  *                      error.                                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Using dynamic SQL, batch restart program, ADBTEP2 internally
  executes SELECT and SET statements on built-in global variables
  SYSIBMADM.GET_ARCHIVE and/or SYSIBMADM.MOVE_TO_ARCHIVE, in order
  retain the environmental condition for restarting a WSL.  If
  the job submitter lacks the privileges to execute these
  statements, an authorization error may result, as in the
  following example:
  
  ADB5146E Unexpected SQLCODE -551 in
  :SET SYSIBMADM.GET_ARCHIVE = 'N'
  
  With this fix, the execution of the statements is changed
  to use static SQL statements. As a result, the package
  owner's privileges will be used to execute the statements
  instead of using the privileges of the individual job submitter.
  

Problem conclusion

• Problem has been resolved.
  

Temporary fix

Comments

• ×**** PE18/02/01 PTF IN ERROR. SEE APAR PI93239  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI53337 UI53338

Modules/Macros

•    ADBTEPR  ADBTEP2
  

Fix information

• Fixed component name

  DB2 ADMIN TOOL

• Fixed component ID

  568851500

Applicable component levels

• RB20 PSY UI53337

     UP18/01/24 P F801

• RC10 PSY UI53338

     UP18/01/24 P F801

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.