Privileges and authorization IDs for DB2 commands

A command can be issued by an individual user, by a program that runs in batch mode, or by an IMS™ or CICS® transaction. The term process describes any of these initiators.

DB2® processes are represented by a set of identifiers (IDs), which are called authorization IDs. What the process can do with DB2 is determined by the privileges and authorities that are held by its identifiers.

If RACF® is active, IDs that issue commands from logged-on MVS™ consoles or from TSO SDSF must have appropriate RACF authorization for DB2 commands, or the primary authorization IDs must have DB2 authorization to issue commands.

DB2 commands that are issued from a logged-on z/OS® console or TSO SDSF can be checked by DB2 authorization using primary and secondary authorization IDs.

You can use DB2 authorization to check DB2 commands that are issued from a DSN session under TSO or DB2I by using primary authorization IDs, secondary authorization IDs, and role, if the commands are running in a trusted context with an associated role.

SQL IDs do not affect most DB2 and related commands.