DYNAMICRULES bind option

The DYNAMICRULES option determines the rules that apply at run time for certain dynamic SQL attributes.

DYNAMICRULES
  • (RUN)
  • ( BIND )
  • Start of change( DEFINEBIND ) End of change
  • Start of change( DEFINERUN ) End of change
  • Start of change( INVOKEBIND ) End of change
  • Start of change( INVOKERUN ) End of change
 On: BIND and REBIND PLAN and PACKAGE

Start of changeNot valid for REBIND of a native SQL procedure package.End of change
If DYNAMICRULES is specified for BIND PLAN, the DYNAMICRULES value has an effect only if any of the following conditions are true:
  • The MEMBER option is specified. In that case, the generated package inherits the DYNAMICRULES value from the BIND PLAN command. If DYNAMICRULES is specified for REBIND PLAN, the DYNAMICRULES value has no effect.
  • An existing package has no DYNAMICRULES value. If BIND PLAN with a DYNAMICRULES value is issued, and the package list includes a package without a DYNAMICRULES value, the package inherits the DYNAMICRULES value from the plan when the package runs.

If DYNAMICRULES is specified for REBIND PLAN, the DYNAMICRULES value has an effect only if an existing package has no DYNAMICRULES value. If REBIND PLAN with a DYNAMICRULES value is issued, and the package list includes the package without a DYNAMICRULES value, the package inherits the DYNAMICRULES value from the plan when the package runs.

The dynamic SQL attributes that DYNAMICRULES affects are:
  • The authorization ID that is used to check authorization
  • The qualifier that is used for unqualified objects
  • The source for application programming options that DB2® uses to parse and semantically verify dynamic SQL statements
  • Whether dynamic SQL statements can include GRANT, REVOKE, ALTER, CREATE, DROP, and RENAME statements
In addition to the DYNAMICRULES value, the run time environment of a package controls how dynamic SQL statements behave at run time. The two possible run time environments are:
  • The package runs as part of a stand-alone program
  • The package runs as a stored procedure or user-defined function package, or runs under a stored procedure or user-defined function
The combination of the DYNAMICRULES value and the run time environment determine the values for the dynamic SQL attributes. That set of attribute values is called the dynamic SQL statement behavior. The four behaviors are:
  • Run behavior
  • Bind behavior
  • Define behavior
  • Invoke behavior

The following DYNAMICRULES option descriptions include a description of the dynamic SQL statement behavior for each run time environment. This information is summarized in Table 1.

(RUN)
Processes dynamic SQL statements using the standard attribute values for dynamic SQL statements, which are collectively called run behavior:
  • DB2 uses the authorization ID of the application process and the SQL authorization ID (the value of the CURRENT SQLID special register) for authorization checking of dynamic SQL statements.
  • DB2 uses the value of the CURRENT SCHEMA special register as the default schema of table, view, index, and alias names.
  • Dynamic SQL statements use the values of application programming options that were specified during installation. The installation option USE FOR DYNAMICRULES has no effect.
  • GRANT, REVOKE, CREATE, ALTER, DROP, and RENAME statements can be executed dynamically.
( BIND )
Processes dynamic SQL statements using the following attribute values, which are collectively called bind behavior:
  • Start of changeDB2 uses the authorization ID of the package for authorization checking of dynamic SQL statements.End of change
  • Start of changeUnqualified table, view, index, and alias names in dynamic SQL statements are implicitly qualified with value of the bind option QUALIFIER; if you do not specify QUALIFIER, DB2 uses the authorization ID of the package owner as the default schema.End of change
  • The attribute values that are described in Common attribute values for bind, define, and invoke behaviors.
  • Start of change If you are running a trusted context with a role, or when the owner is a role, DB2 uses the authorization ID of the owner of the package for authorization checking of dynamic SQL statements. The same rules that are used to determine the authorization ID for static (embedded) statements are used for dynamic statements. DB2 uses the authorization ID of the owner of the package for authorization checking of dynamic SQL statements. The privilege set is the privileges that are held by the authorization ID of the owner of the package. The owner can also be a role. The identifier specified in the QUALIFIER option of the bind command that is used to bind the SQL statements is the implicit qualifier for all unqualified tables, views, aliases, indexes, and sequences. If this bind option was not used when the package was created or last rebound, the implicit qualifier is the authorization ID of the owner of the package. The owner can also be a role. End of change
( DEFINEBIND )
Processes dynamic SQL statements using one of two behaviors, define behavior or bind behavior.
When the package is run as or runs under a stored procedure or user-defined function package, DB2 processes dynamic SQL statements using define behavior, which consists of the following attribute values:
  • DB2 uses the authorization ID of the user-defined function or stored procedure owner for authorization checking of dynamic SQL statements in the application package.
  • The default qualifier for unqualified objects is the user-defined function or stored procedure owner.
  • The attribute values that are described in Common attribute values for bind, define, and invoke behaviors.
  • If you are running a trusted context with a role, or when the owner is a role, then define behavior applies only if the dynamic SQL statement is in a package that is run as a stored procedure or user-defined function (or runs under a stored procedure or user-defined function package), and the package is bound with DYNAMICRULES (DEFINEBIND). DB2 uses the authorization ID of the stored procedure or user-defined function owner for authorization checking of dynamic SQL statements in the application package. This can be a primary or secondary authorization ID or a role. In this case, the privilege set is the privileges that are held by the authorization ID of the stored procedure or user-defined function owner. This owner can be a primary or secondary authorization ID or a role. The authorization ID of the stored procedure or user-defined function owner is also the implicit qualifier for unqualified table, view, alias, index, and sequence names. The owner can also be a role.

When the package is run as a stand-alone program, DB2 processes dynamic SQL statements using bind behavior, which is described in BIND keyword.

( DEFINERUN )
Processes dynamic SQL statements using one of two behaviors, define behavior or run behavior.

When the package is run as or runs under a stored procedure or user-defined function package, dynamic SQL statements have define behavior, which is described in DEFINEBIND keyword.

When the package is run as a stand-alone program, DB2 processes dynamic SQL statements using run behavior, which is described in RUN keyword.

If you are running a trusted context with a role, or when the owner is a role, then define behavior applies only if the dynamic SQL statement is in a package that is run as a stored procedure or user-defined function (or runs under a stored procedure or user-defined function package), and the package is bound with DYNAMICRULES (DEFINERUN). DB2 uses the authorization ID of the stored procedure or user-defined function owner for authorization checking of dynamic SQL statements in the application package. This can be a primary or secondary authorization ID or a role. In this case, the privilege set is the privileges that are held by the authorization ID of the stored procedure or user-defined function owner. This owner can be a primary or secondary authorization ID or a role. The authorization ID of the stored procedure or user-defined function owner is also the implicit qualifier for unqualified table, view, alias, index, and sequence names. The owner can also be a role.

( INVOKEBIND )
Processes dynamic SQL statements using one of two behaviors, invoke behavior or bind behavior.
When the package is run as or runs under a stored procedure or user-defined function package, DB2 processes dynamic SQL statements using invoke behavior, which consists of the following attribute values:
  • DB2 uses the authorization ID of the user-defined function or stored procedure invoker for authorization checking of dynamic SQL statements in the application package.

    If the invoker is the primary authorization ID of the process or the CURRENT SQLID value, secondary authorization IDs are also checked if they are needed for the required authorization. Otherwise, only one ID, the ID of the invoker, is checked for the required authorization.

  • The default qualifier for unqualified objects is the user-defined function or stored procedure invoker.
  • The attribute values that are described in Common attribute values for bind, define, and invoke behaviors.
  • If you are running a trusted context with a role, or when the owner is a role, then invoke behavior applies only if the dynamic SQL statement is in a package that is run as a stored procedure or user-defined function (or runs under a stored procedure or user-defined function package), and the package was bound with DYNAMICRULES( INVOKEBIND). DB2 uses the authorization ID of the stored procedure or user-defined function invoker for authorization checking of dynamic SQL statements in the application package. The invoker can also be a role. The privilege set is the privileges that are held by the authorization ID of the stored procedure or user-defined function invoker. However, if the invoker is the primary authorization ID of the process or the CURRENT SQLID value, secondary authorization IDs are also checked along with the primary authorization ID's role. Therefore, the privilege set is the union of the set of privileges held by each authorization ID of the process and the primary authorization ID's role. The authorization ID of the stored procedure or user-defined function invoker is also the implicit qualifier for unqualified table, view, alias, index, and sequence names. The invoker can also be a role.

When the package is run as a stand-alone program, DB2 processes dynamic SQL statements using bind behavior, which is described in BIND keyword.

( INVOKERUN )
Processes dynamic SQL statements using one of two behaviors, invoke behavior or run behavior.

When the package is run as or runs under a stored procedure or user-defined function package, DB2 processes dynamic SQL statements using invoke behavior, which is described in INVOKEBIND keyword.

If you are running a trusted context with a role, or when the owner is a role, then invoke behavior applies only if the dynamic SQL statement is in a package that is run as a stored procedure or user-defined function (or runs under a stored procedure or user-defined function package), and the package was bound with DYNAMICRULES( INVOKERUN). DB2 uses the authorization ID of the stored procedure or user-defined function invoker for authorization checking of dynamic SQL statements in the application package. The invoker can also be a role. The privilege set is the privileges that are held by the authorization ID of the stored procedure or user-defined function invoker. However, if the invoker is the primary authorization ID of the process or the CURRENT SQLID value, secondary authorization IDs are also checked along with the primary authorization ID's role. Therefore, the privilege set is the union of the set of privileges held by each authorization ID of the process and the primary authorization ID's role. The authorization ID of the stored procedure or user-defined function invoker is also the implicit qualifier for unqualified table, view, alias, index, and sequence names. The invoker can also be a role.

When the package is run as a stand-alone program, DB2 processes dynamic SQL statements using run behavior, which is described in RUN keyword.

Start of changeCommon attribute values for bind, define, and invoke behavior: The following attribute values apply to dynamic SQL statements in packages that have bind, define, or invoke behavior:
  • You can execute the statement SET CURRENT SQLID in a package that is bound with any DYNAMICRULES value. However, DB2 does not use the value of CURRENT SQLID as the authorization ID for dynamic SQL statements.

    DB2 always uses the value of CURRENT SQLID as the qualifier for the EXPLAIN output and optimizer hints input PLAN_TABLE. (If the value of CURRENT SQLID has an alias on PLAN_TABLE and has the appropriate privileges, that PLAN_TABLE is populated.)

  • If the value of installation option USE FOR DYNAMICRULES is YES, DB2 uses the application programming default values that were specified during installation to parse and semantically verify dynamic SQL statements. If the value of USE for DYNAMICRULES is NO, DB2 uses the precompiler options to parse and semantically verify dynamic SQL statements.
  • GRANT, REVOKE, CREATE, ALTER, DROP, and RENAME statements cannot be executed dynamically.
End of change

Remote DB2 servers: For a package that uses DRDA access, DB2 sends the DYNAMICRULES option to the DB2 server at bind time.

The following table summarizes the dynamic SQL statement attribute values for each behavior.

Table 1. Definitions of dynamic SQL statement behaviors
Dynamic SQL attribute Value for bind behavior Value for run behavior Value for define behavior Value for invoke behavior
Authorization ID Package OWNER Current SQLID User-defined function or stored procedure owner Authorization ID of invoker
Default qualifier for unqualified objects Bind OWNER or QUALIFIER value Current SQLID User-defined function or stored procedure owner Authorization ID of invoker
CURRENT SQLID Initialized to primary authid. SET SQLID is allowed. Initialized to primary authid. SET SQLID is allowed. Initialized to primary authid. SET SQLID is allowed. Initialized to primary authid. SET SQLID is allowed.
Source for application programming options As determined by the application defaults parameter DYNRULS Application programming defaults installation panels As determined by the application defaults parameter DYNRULS As determined by the application defaults parameter DYNRULS
Can execute GRANT, REVOKE, CREATE, ALTER, DROP, RENAME? No Yes No No

Defaults:

Process Default value
BIND PLAN RUN
BIND PACKAGE blank, or RUN for packages that run on a remote DB2 for z/OS® server.1, 2
REBIND PLAN Existing value
REBIND PACKAGE Existing value
Note:
  1. When the package value is blank, the value that is used when the package is run is inherited from the plan value.
  2. The default for a package on a remote DB2 for z/OS server is RUN. The default is set by the server.

Catalog record: Column DYNAMICRULES of tables SYSPACKAGE and SYSPLAN.