When Issuing a CREATE DATABASE request with ACF2/DB2 active, the secondary AUTHIDs are not used for validation.
Only PRIMARY or OWNER AUTHIDs are validated.
Release : 1.3
Component : CA ACF2 Option for Db2
The create database statement does not obtain authorization from secondary authids.
Per the IBM DB2 sql reference guide page 1380..
The CREATE DATABASE statement defines a Db2 database at the current server.
This statement can be embedded in an application program or issued interactively. It is an executable
statement that can be dynamically prepared only if DYNAMICRULES run behavior is implicitly or explicitly
The privilege set that is defined below must include at least one of the following:
• The CREATEDBA privilege
• The CREATEDBC privilege
• SYSADM or SYSCTRL authority
• System DBADM
• Installation SYSOPR authority (when the current SQLID of the process is set to SYSINSTL)
If the database is created as a workfile database, the privilege set that is defined below must include
Privilege set: If the statement is embedded in an application program, the privilege set is the privileges
that are held by the owner of the plan or package.
If the statement is dynamically prepared, the privilege set is the privileges that are held by the SQL
authorization ID of the process unless the process is within a trusted context and the ROLE AS OBJECT
OWNER clause is specified. In that case, the privilege set is the set of privileges that are held by the role
that is associated with the primary authorization ID of the process.
Note that the "privilege set" does not include any secondary authids..Only primary authid or owner are referenced.