RC/Query using SYSADM when accessing remote objects via aliases.
search cancel

RC/Query using SYSADM when accessing remote objects via aliases.

book

Article ID: 45342

calendar_today

Updated On:

Products

RC/Query for DB2 for z/OS

Issue/Introduction

When using the Alias List Report (A-L) to access remote objects, RC/Query for Db2 for z/OS (RCQ) queries the remote subsystem using
the SYSADM ID defined to the local subsystem. This can result in security violation messages depending on how security has been set up.

For example, the following Top Secret messages may be issued.

TSS7250E drc J=jobname A=acid TYPE=DB2SYS RESOURCE=SYSADM
TSS7251E Access Denied to DB2SYS <SYSADM>

Cause

When generating the Alias List report for an alias of a remote object, RC/Query performs a second SQL query to determine if the base object exists on the remote subsystem.
This dynamic SQL requires SELECT authority on the remote Db2 catalog tables. Most of the products require access to the Db2 catalog tables.
Without SELECT authority on these tables, the products cannot retrieve the necessary Db2 data to confirm that the base object exists.

Resolution

SELECT privilege should be sufficient for this second query to the remote subsystem.
If any violations persist then execute an Error Log Report for the appropriate Security product. 
For example, for Top Secret, executing a TSS Listing will assist in identifying which top secret privileges the user has and which are missing.