Privileges and authorization IDs for DB2 utilities
A utility job can be issued by an individual user, by a program that runs in batch mode, or by an IMS™ or CICS® transaction. The term process describes any of these initiators.
DB2® processes are represented by a set of identifiers (IDs), which are called authorization IDs. What the process can do with DB2 is determined by the privileges and authorities that are held by its identifiers.
- A primary authorization ID.
- Possibly one or more secondary IDs.
- A role, if the process is running in a trusted connection with an associated role.
For example, a process can have a secondary authorization ID that is a Resource Access Control Facility (RACF®) group ID. Suppose that RACF group holds the LOAD privilege on a particular database. Any member of the group can run the LOAD utility to load table spaces in the database.
The privileges that are required for each utility are listed in the documentation for the utility.
Required authorizations for invoking utilities on tables that have multilevel security with row-level granularity
If you use RACF access control with multilevel security, you need additional authorizations to run the following utilities on tables that have multilevel security with row-level granularity:
- LOAD
- UNLOAD
- REORG TABLESPACE
The authorization requirements are listed in the documentation for each of these utilities.
All other utilities, including all stand-alone utilities, ignore the row-level granularity. They check only for authorization to operate on the table space; they do not check row-level authorization.
DB2 online utilities in a trusted connection
- A matching trusted context is defined where the primary authorization ID matches the trusted context SYSTEM AUTHID.
- The job name matches the JOBNAME attribute that is defined for the identified trusted context.