We are running DB2 PE (AIX) 8.1.5 and have built a SQL stored proc that
uses the SNAPSHOT_APPL_INFO udf to return to the caller info about
current db2 connections.
The SP was created by a user id that belongs to the SYSADM_GROUP and
the SYSADM_GROUP. This user can run the SP and get results. When a
GRANT EXECUTE (by the definer/creator of the SP) is done to a user not
in these groups, that user gets what appears to be an authorization
error:
---------------------------------------------------------------
SQL0443N Routine "*PPL_INFO" (specific name "") has returned an error
SQLSTATE with diagnostic text "SQL1092 Reason code or token: SPPCH
". SQLSTATE=38553
----------------------------------------------------------------
In the doc, it states:
----------------------------------------------------------------
Authorization Considerations for Static SQL
To use static SQL, the user running the application only needs the
EXECUTE privilege on the package. No privileges are required for each
of the statements that make up the package. The EXECUTE privilege may
be granted to the user's authorization ID, to any group of which the
user is a member, or to PUBLIC.
-----------------------------------------------------------------
Does this have something to do with the DYNAMICRULES RUN vs
DYNAMICRULES BIND settings (the default is DYNAMICRULES RUN and I don't
know how to change it). Can anyone shed light on this? I admit security
is not one of my strengths in this environment, but I've read and tried
everything I can think of.
Pete H 5 1802
peteh wrote: We are running DB2 PE (AIX) 8.1.5 and have built a SQL stored proc that uses the SNAPSHOT_APPL_INFO udf to return to the caller info about current db2 connections.
The SP was created by a user id that belongs to the SYSADM_GROUP and the SYSADM_GROUP. This user can run the SP and get results. When a GRANT EXECUTE (by the definer/creator of the SP) is done to a user not in these groups, that user gets what appears to be an authorization error:
Prior to Fixpack 7, DB2 V8 has a registry variable DB2_SNAPSHOT_NOAUTH
which will allow non-SYSADM users to use the snapshot facility.
Fixpack 7 introduced a new group SYSMON_GROUP which replaces this
registry variable.
Thanks Ian;
I will give the DB2_SNAPSHOT_NOAUTH setting a try. However, if we want
to expose other administrative functions via SPs, I need to better
understand why this is necessary give the documentation references
above. Is t
For example if I (as SYSADM) write a C stored proc that uses the DB2
API function "sqlefrce" to "force" a specified AgentID, it seems that I
should be able to GRANT EXECUTE on this SP to a non-SYSADM/SYSCTRL
user? Is this not so, and if not, where in the doc can I go to get a
thorough understanding of how SP/routine security works? I have spent
most of this week looking at what Package Owners, Routine Definers, and
Routine Invokers can do. It seems pretty unambiguous in the Programming
Server Applications doc:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
The routine definer's role is to encapsulate under one authorization
ID, the privileges of running the packages associated with a routine
and the privilege of granting EXECUTE privilege on the routine to
PUBLIC or to specific users that need to invoke the routine. Note: For
SQL routines the routine definer is also implicitly the package owner.
Therefore the definer will have EXECUTE WITH GRANT OPTION on both the
routine and on the routine package upon execution of the CREATE
statement for the routine.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Do you see where my confusion lies? And thanks again for your prompt
response!
Pete H
peteh wrote: Thanks Ian; I will give the DB2_SNAPSHOT_NOAUTH setting a try. However, if we want to expose other administrative functions via SPs, I need to better understand why this is necessary give the documentation references above. Is t
For example if I (as SYSADM) write a C stored proc that uses the DB2 API function "sqlefrce" to "force" a specified AgentID, it seems that I should be able to GRANT EXECUTE on this SP to a non-SYSADM/SYSCTRL user? Is this not so, and if not, where in the doc can I go to get a thorough understanding of how SP/routine security works? I have spent most of this week looking at what Package Owners, Routine Definers, and Routine Invokers can do. It seems pretty unambiguous in the Programming Server Applications doc: ----------------------------------------------------------------------------------------------------------------------------------------------------------------- The routine definer's role is to encapsulate under one authorization ID, the privileges of running the packages associated with a routine and the privilege of granting EXECUTE privilege on the routine to PUBLIC or to specific users that need to invoke the routine. Note: For SQL routines the routine definer is also implicitly the package owner. Therefore the definer will have EXECUTE WITH GRANT OPTION on both the routine and on the routine package upon execution of the CREATE statement for the routine. -------------------------------------------------------------------------------------------------------------------------------------------------------------------
Do you see where my confusion lies? And thanks again for your prompt response!
Pete H
There is a bit of a clash between the SQL semantics and the APIs.
A lot of the APIs look at the current authid (you could say they behave
like dynamic SQL -ish).
As an SQL person I have of my optinions on whether this is right or not,
but it is the way it is ;-)
Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Hi Serge;
Based on the above, can answer 2 questions for me?
1) If I change the DYNAMICRULES bind option to RUN (from its default of
BIND), will I be able to create a C SP (as SYSADM)that calls the
sqlefrce API and grant execute to an authid that DOES NOT have SYSCTRL
or SYSADM auth?
2) How can I change this bind parameter? I am running DB2 PE 8.1.5
(AIX) and it looks like the SET_ROUTINE_OPTS() procedure and "db2set
DB2_SQLROUTINE_PREPOPTS" are not available until we upgrade to
Stinger...
Bottom line, can I do what I want to do at my current release level?
Thanks again for any help.
Pete H
peteh wrote: Hi Serge; Based on the above, can answer 2 questions for me? 1) If I change the DYNAMICRULES bind option to RUN (from its default of BIND), will I be able to create a C SP (as SYSADM)that calls the sqlefrce API and grant execute to an authid that DOES NOT have SYSCTRL or SYSADM auth?
Sorry... I'm shaky on the subject of DYNAMICRULES myself.
Maybe Andrew or Liu can comment?
2) How can I change this bind parameter? I am running DB2 PE 8.1.5 (AIX) and it looks like the SET_ROUTINE_OPTS() procedure and "db2set DB2_SQLROUTINE_PREPOPTS" are not available until we upgrade to Stinger...
DB2_SQLROYINE_PREPOPTS should be available since DB2 V7.1.
The difference between it and SET_ROUTINE_OPTS() is that the later does
not require a restart and is also session specific. Bottom line, can I do what I want to do at my current release level? Thanks again for any help.
There is good reason why SYSMON was invented. What about the db2set
variable referred to by others.
Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Johnson Ndiovu |
last post by:
This is a multi-part message in MIME format
--af4b847f-30bf-4b8d-acf1-2909de953a6e
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
DEAR FRIEND,
...
|
by: xunitinmullik |
last post by:
Hello ppl:
I am facing a problem that I ahve never experienced before with the
secured database. I created an MS Access 2000 application (.mdb) using
MS Access 2002 and secured it using exactly...
|
by: Richard Střen |
last post by:
Please help!
We suddenly started getting the following error message when we try to run
any asp.net web application on the web server :
Server Application Unavailable
The web application you...
|
by: |
last post by:
Hi all, I have a website running on beta 2.0 on server 2003 web sp1 and I
keep getting the following error:-
Error In:...
|
by: varkey.mathew |
last post by:
Dear all,
Bear with me, a poor newbie(atleast in AD)..
I have to authenticate a user ID and password for a user as a valid
Active Directory user or not. I have created the IsAuthenticated...
|
by: VB Programmer |
last post by:
I would appreciate your assistance on this ASP.NET 2.0 site....
This is the wierd problem: While accessing the built in .NET functions for
'profiling' or 'membership' an error is generated (see...
|
by: Bren |
last post by:
Hi All
My appologies for the URGENT shout but I need to get this sorted by 06:00
GMT otherwise I am going to have 150 screaming intranet users moaning at me.
Win 2k Server
ASP.NET 2
I have...
|
by: tjaink |
last post by:
Hi
I have a vc++ dll and its stored in Windows directory. I am using OS Windows 2003 server. And i am using ASP Legacy application migrated from NT to Windows 2003 server. Now there is no problem...
|
by: =?ISO-8859-1?B?RulybmFz?= |
last post by:
Hey all,
I have a URGENT problem and I hope someone could help me...
scenery:
I have a windows app, coded using C# (framework 1.1 - VS2003)... The
exe and dlls of the app is are stored in a...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |