set current sqlid

[Danny Davis]

Can someone tell me how to allow a user (USER1) to be able to issue the command 'SET CURRENT SQLID = USER2'. Based on the manuals I haven't seen a clear cut way to assign USER1 the rights to become USER2. I'm getting a -533 sql return code when issuing the SET command. Can someone please help? TIA.

[Michael]

Danny Davis wrote:
>
> Can someone tell me how to allow a user (USER1) to be able to issue the command 'SET CURRENT SQLID = USER2'. Based on the manuals I haven't seen a clear cut way to assign USER1 the rights to become USER2. I'm getting a -533 sql return code when issuing the SET command. Can someone please help? TIA.

I think you mean -553, right?

[Bill Goss]

USER1 must either have USER2 as part of her secondary auth id list, or she
must be a SYSADM
___________________

Danny Davis wrote in message ...

[Terry....@zurich.com.au]

The USER2 value should be a valid RACF/ACF2 group that USER1 must
belong/connected with, otherwise you get -553.

Cheers,
Terry

[Danny Davis]

Thanks for the response. I am using RACF so I'm assuming I will only need to use the connect exit and not the signon exit. Do you know if anything needs to be put in SYSLUNAMES and SYSUSERNAMES? Right now I have one blank line in SYSLUNAMES to accept all incoming LU traffic.

>>> "Salvatore, Joe" <Salva...@mail.dnb.com> 04/16 7:52 AM >>>
If you are using RACF,

1.) Create a RACF group
2.) Connect the users that you want to do the similar functions to that
group.
3.) Grant the DB2 Permissions to the DB2 resources needed
4.) Set current sqlid to "racf group".
----------
From: Danny Davis
To: DB...@AMERICAN.EDU
Subject: set current sqlid
Date: Wednesday, April 15, 1998 11:05AM

[George Peters]

Have the RACF (or ACF2, etc.) people connect USER1 to the group USER2. (Or
GRANT SYSADM to USER1

George Peters

Principal Consultant
Strategic Database Systems, Inc.
***Design and Implementation of Relational Systems since 1985***
DB2/MVS, UDB, Oracle: VLDB and Data Warehousing specialists
IBM Certified Solutions Expert: DB2 UDB V5 Database Administration

Email: gpe...@idt.net <mailto:gpe...@idt.net>

> -----Original Message-----
> From: DB2 Data Base Discussion List [mailto:DB...@AMERICAN.EDU]On Behalf
> Of Danny Davis
> Sent: Wednesday, April 15, 1998 11:06 AM
> To: DB...@AMERICAN.EDU
> Subject: set current sqlid
>
>

[Greg DiGiorgio]

Danny,

>Can someone tell me how to allow a user (USER1) to be able to issue the command
>'SET CURRENT SQLID = USER2'. Based on the manuals I haven't seen a clear cut
>way to assign USER1 the rights to become USER2. I'm getting a -533 sql return
code
>when issuing the SET command. Can someone please help? TIA.

My response is based on DB2/MVS only...

The only ways USER1 can "become" USER2 are (1) if USER1 knows USER2's user-id
and password and has permission to logon as USER2 or (2) if USER1 is a SYSADM.

Otherwise, you will have to use RACF security groups. Members of the group use
the group name for the SQLID and create all the objects with the group name as
the creator. This is preferable to using regular user-IDs anyway.

DB2 allows the creator of an object to have rights to grant permission to other
to use the object. If you use regular user-IDs to create objects and that user
leaves the company, you've may have a little mess on your hands.

If possible, use RACF groups. If you don't have RACF or Top-Secret, then you are
out of luck (as far as I know) and you may have to resort to one of the two
options mentioned earlier.

Greg DiGiorgio
DB Analyst
City of Newport News
gdi...@ci.newport-news.va.us

[Doug Partch]

In order to do this you must first setup a RACF ID =USER2 then assign
all users (USER1) through RACF to USER2 RACF group. Then all auths will
then be granted to USER2. After this has been done the "Set Current
SQLID" will work.

> -----Original Message-----
> From: Danny Davis [SMTP:DTD...@PCMH.COM]
> Sent: Wednesday, April 15, 1998 10:06 AM
> To: DB...@AMERICAN.EDU
> Subject: set current sqlid
>

[Rue, Gary]

Danny, the SQL REFERENCE states that unless the primary ID or secondary
group ID of the user has SYSADM authority, then USER2 can only connected
to if it is one of the IDs of the application process. SYSADM can SET
CURRENT SQLID to any ID (except maybe the INSTALL SYSADM?!).

For example, If USER1 is in SMF or SPUFI, USER1 should be able to SET
CURRENT SQLID to any secondary authorization group or the primary ID
(USER1); however to SET CURRENT SQLID to another primary userid (USER2),
USER1 would need SYSADM authority on the primary ID or a secondary ID.

Later!

Gary Rue
Commonwealth of KY
Department of Information Systems
gr...@mail.state.ky.us

[David Seibert]

>> Based on the manuals I haven't seen a clear cut
>>way to assign USER1 the rights to become USER2.

In the RACF world, USER1 needs to be connected to RACF Group USER2.
I assume there's some comparable facility in ACF2/Top Secret or that folks using
those auth-schemes will reply there.

David Seibert
Compuware Corporation
Dave_S...@Compuware.com

[Venkat R. Pillay]

1. Only SYSADM can do SET CURRENT SQLID to any other user.
2. else you need either primary or secondary auth to do this.
3. I am not aware of any third possibility unless you have DB2 security
disabled.

Pillay
-------------
Original Text
From: "Danny Davis" <DTD...@PCMH.COM>, on 4/15/98 11:05 AM:

Can someone tell me how to allow a user (USER1) to be able to issue the

command 'SET CURRENT SQLID = USER2'. Based on the manuals I haven't seen a
clear cut way to assign USER1 the rights to become USER2. I'm getting a

[Richard Pack]

On DB2 for OS/390, you must be SYSADM to set your current SQLID to another RACF
userid. Using the SET command to set your primary id to a RACF group requires
several things. If you are wanting to set the your primary id to another
userid I believe you must be SYSADM to do that.

[Wayne Driscoll]

In order for USER1 (who does NOT have SYSADM authority) to issue
SET CURRENT SQLID = "USER2" ;
USER1 must have USER2 as a SECONDARY AUTHORIZATION ID. Secondary authids
are assigned at connect time (or sign on time for CICS and IMS) via
installation exits DSN3@AUTH for connect or DSN3@SGN for CICS and IMS
attaches. As shipped from IBM DSN3@AUTH uses the users list of connected
RACF groups to build the secondary authid list. I haven't looked at
DSN3@SGN much so I'm not sure how it builds this information.

Wayne Driscoll
Product Developer
Platinum Technology Inc.
dris...@platinum.com
NOTE: All opinions are strictly my own

[Truman G. Brown]

Check the security system requirements and explanations
in the DB2 Administration Guide, volume 1; it's all in there.

---------------------- Forwarded by TRUMAN G. BROWN/EMPL/MD/Bell-Atl on
04/16/98 09:30 AM ---------------------------

From: owner...@AMERICAN.EDU AT INTERNET on 04/16/98 03:41 AM

To: WILLIAM C. MOONEY, TRUMAN G. BROWN/EMPL/MD/Bell-Atl, STEVEN
MAZER/MD/NSI/Bell-Atl, MICHAEL C. MILLER AT BAPLAZ11@CCDOMAIN,
DEBAPRATIM MUKHERJEE/EMPL/VA/Bell-Atl, DAVID E E.
WILL/EMPL/MD/Bell-Atl, CAROL L. THOMAS/EMPL/VA/Bell-Atl,
DB...@AMERICAN.EDU AT INTERNET@CCDOMAIN
cc:
Subject: set current sqlid

Attachment file number 1, file name
Creation date: April 16, 1998 03:41:36
Document Type: ASCI, Document Class: MEMO
Author:
Comment: set current sqlid
Level: 1, Number : 1

Can someone tell me how to allow a user (USER1) to be able to issue the
command 'SET CURRENT SQLID = USER2'. Based on the manuals I haven't seen a
clear cut way to assign USER1 the rights to become USER2. I'm getting a
-533 sql return code when issuing the SET command. Can someone please
help? TIA.

----------------------------------------------------------------

[Paul Fegan]

Danny,
Secondary authid's don't work that way. You can't set your current sqlid to another user unless you are a sysadm. The way the DSN3@ATH exit works is to check the groups that you are connected to in RACF. i.e. can can set your current sqlid to any RACF group you are connected to. To enable people to set there sqlid to another user you would have to modify the DSN3@ATH exit and I don't recommend that you do that. It was done at one of the shops I have worked at and they are still using the DB2 2.1 auth exit because no one knows what the hell was done to it.

Paul

>>> Danny Davis <DTD...@PCMH.COM> 16/04/98 1:05:31 >>>

[Doug Partch]

This is not the case as long as the a primary id belongs to a secondary
id group. The primary id can be set to the secondary id without
needing sysadm authority.

Real life experience is always better than words in a book!

> -----Original Message-----
> From: Rue, Gary [SMTP:gr...@MAIL.STATE.KY.US]
> Sent: Thursday, April 16, 1998 5:13 PM
> To: DB...@AMERICAN.EDU
> Subject: Re: set current sqlid
>
> Danny, the SQL REFERENCE states that unless the primary ID or
> secondary
> group ID of the user has SYSADM authority, then USER2 can only
> connected
> to if it is one of the IDs of the application process. SYSADM can SET
> CURRENT SQLID to any ID (except maybe the INSTALL SYSADM?!).
>
> For example, If USER1 is in SMF or SPUFI, USER1 should be able to SET
> CURRENT SQLID to any secondary authorization group or the primary ID
> (USER1); however to SET CURRENT SQLID to another primary userid
> (USER2),
> USER1 would need SYSADM authority on the primary ID or a secondary ID.
>
> Later!
>
> Gary Rue
> Commonwealth of KY
> Department of Information Systems
> gr...@mail.state.ky.us
>
>

> -----Original Message-----
> From: Danny Davis [mailto:DTD...@PCMH.COM]
> Sent: Wednesday, April 15, 1998 11:06 AM
> To: DB...@AMERICAN.EDU
> Subject: set current sqlid
>