When issuing DB2 operator commands from the z/OS console fail with DSN9016I 'xxxx xxx' COMMAND REJECTED, UNAUTHORIZED REQUEST, what causes this?
DSN9016I +DB2C '-DIS THD' COMMAND REJECTED, UNAUTHORIZED REQUEST
DSN9023I +DB2C DSN9SCND '-DIS THD' ABNORMAL COMPLETION
The most likely cause of the errors are a validation at the console for *BYPASS* to have the authority to issue the command. An ACF2 SECTRACE would show a VERIFY CREATE for userid *BYPASS*.
*BYPASS* is a standard z/OS default assigned when no other id (not even a batch default) is available to satisfy a signon request (a VERIFY call). In this case the VERIFY call is being made from DB2 in response to a DB2 console command. DB2 wants to make a check for SYSOPR against an id. Since no id is available, z/OS plugs in *BYPASS*.
One solution to the use of *BYPASS* would be to set LOGON(REQUIRED) in the CONSOLXX member of SYS1.PARMLIB and require that the consoles be signed on. In that way, there would always be a valid userid assigned to the console and that is the id that would be checked for SYSOPR authority.
Another solution to address the problem would be for sites to add a grant in DB2 for *BYPASS* with SYSOPR authority.
GRANT SYSOPR TO "*BYPASS*"
NOTE: The USERID requires double quotes around it in order to protect the asterisks