How authorization IDs control data access
One of the ways that DB2® controls access to data is through the use of identifiers. A set of one or more DB2 identifiers, called authorization IDs, represents every process that connects to or signs on to DB2.
Authorization IDs come in three types:
- Primary authorization ID
- As a result of assigning authorization IDs, every process has exactly one ID, called the primary authorization ID. Generally, the primary authorization ID identifies a process. For example, statistics and performance trace records use a primary authorization ID to identify a process.
- Secondary authorization ID
- All other IDs are secondary authorization IDs. A secondary authorization ID, which is optional, can hold additional privileges that are available to the process. For example, you could use a secondary authorization ID for a z/OS® Security Server group.
- CURRENT SQLID
- One ID (either primary or secondary) is designated as the CURRENT
SQLID. The CURRENT SQLID holds the privileges that are exercised
when certain dynamic SQL statements run. You can set the CURRENT SQLID
to the primary ID or to any of the secondary IDs. If an authorization
ID of a process has system administration (SYSADM) authority, the
process can set its CURRENT SQLID to any authorization ID. You can
change the value of the CURRENT SQLID during your session. Example: If ALPHA is your primary authorization ID or one of your secondary authorization IDs, you can make it the CURRENT SQLID by issuing this SQL statement:
SET CURRENT SQLID = 'ALPHA';