When we try to enter an operator command to DB2 from a console we are getting DSN9016I - Not Authorized message. For example, STO DB2 results in DSN9016I -DAF0 '-STO' COMMAND REJECTED, UNAUTHORIZED REQUEST
Create a user id for *BYPASS* in DB2 and give it the SYSOPR privilege. *BYPASS* is a standard z/OS default assigned when no other id is available to satisfy a signon request (a VERIFY call). In this case the VERIFY call is being made from DB2 in response to a DB2 console command. DB2 wants to make a check for SYSOPR against an id. Since no id is available, z/OS plugs in *BYPASS*. This is not an ACF2 decision. In fact, ACF2 ignores signons for *BYPASS* and does not even require a lidrec for it.
An alternative to this use of *BYPASS* would be to set SIGNON(REQUIRED) in the CONSOLXX member of SYS1.PARMLIB and require that your consoles be signed on. In that way, there would always be a valid userid assigned to the console and that is the id that would be checked for SYSOPR authority.