search cancel

ACF04056 resource violation for ACF2/DB2 CREATE DATABASE request - secondary AUTHIDs

book

Article ID: 200027

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

When Issuing a CREATE DATABASE request with ACF2/DB2 active, the secondary AUTHIDs are not used for validation.
Only PRIMARY or OWNER AUTHIDs  are validated.

Environment

Release : 1.3

Component : CA ACF2 Option for Db2

Resolution

The create database statement does not obtain authorization from secondary authids.
Per the IBM DB2 sql reference guide page 1380..

CREATE DATABASE
The CREATE DATABASE statement defines a Db2 database at the current server.
Invocation
This statement can be embedded in an application program or issued interactively. It is an executable
statement that can be dynamically prepared only if DYNAMICRULES run behavior is implicitly or explicitly
specified.
Authorization
The privilege set that is defined below must include at least one of the following:
• The CREATEDBA privilege
• The CREATEDBC privilege
• SYSADM or SYSCTRL authority
• System DBADM
• Installation SYSOPR authority (when the current SQLID of the process is set to SYSINSTL)
If the database is created as a workfile database, the privilege set that is defined below must include
SYSADM authority.
Privilege set: If the statement is embedded in an application program, the privilege set is the privileges
that are held by the owner of the plan or package.
If the statement is dynamically prepared, the privilege set is the privileges that are held by the SQL
authorization ID of the process unless the process is within a trusted context and the ROLE AS OBJECT
OWNER clause is specified. In that case, the privilege set is the set of privileges that are held by the role
that is associated with the primary authorization ID of the process.

Note that the "privilege set" does not include any secondary authids..Only primary authid or owner are referenced.