When issuing DB2 operator commands from the z/OS console fail with DSN9016I 'xxxx xxx' COMMAND REJECTED, UNAUTHORIZED REQUEST, what causes this?

For example:

DSN9016I +DB2C '-DIS THD' COMMAND REJECTED, UNAUTHORIZED REQUEST 
DSN9023I +DB2C DSN9SCND '-DIS THD' ABNORMAL COMPLETION 

The most likely cause of the errors are a validation at the console for  *BYPASS* to have the authority to issue the command. An ACF2 SECTRACE would show a VERIFY CREATE for userid *BYPASS*.

*BYPASS* is a standard z/OS default assigned when no other id (not even a  batch default) is available to satisfy a signon request (a VERIFY call). In this case the VERIFY call is being made from DB2 in response to a DB2 console  command. DB2 wants to make a check for SYSOPR against an id. Since no id is available, z/OS plugs in *BYPASS*. 

One solution to the use of *BYPASS* would be to set LOGON(REQUIRED) in the CONSOLXX member of SYS1.PARMLIB and require that the consoles be signed on. In that way, there would always be a valid userid assigned to the console and that is the id that would be checked for SYSOPR authority.                 

Another solution to address the problem would be for sites to add a grant in DB2 for *BYPASS* with SYSOPR authority.

GRANT SYSOPR TO "*BYPASS*"

NOTE:  The USERID requires double quotes around it in order to protect the asterisks