Authorization behaviors for dynamic SQL statements

The two key factors that influence authorization behaviors are the DYNAMICRULES value and the run time environment of a package. The combination of the DYNAMICRULES value and the run time environment determine the values for the dynamic SQL attributes. Those attribute values are called the authorization behaviors.

Begin general-use programming interface information.

The DYNAMICRULES option on the BIND or REBIND command determines the values that apply at run time for the following dynamic SQL attributes:

The authorization ID or role that is used to check authorization
The qualifier that is used for unqualified objects
The source for application programming options that DB2® uses to parse and semantically verify dynamic SQL statements

The DYNAMICRULES option also determines whether dynamic SQL statements can include GRANT, REVOKE, ALTER, CREATE, DROP, and RENAME statements.

In addition to the DYNAMICRULES value, the run time environment of a package controls how dynamic SQL statements behave at run time. The two possible run time environments are:

The package runs as part of a stand-alone program.
The package runs as a stored procedure or user-defined function package, or runs under a stored procedure or user-defined function.
A package that runs under a stored procedure or user-defined function is a package whose associated program meets one of the following conditions:
- The program is called by a stored procedure or user-defined function.
- The program is in a series of nested calls that start with a stored procedure or user-defined function.

Run behavior
DB2 processes dynamic SQL statements by using their standard attribute. These attributes are collectively called the run behavior.
Bind behavior
DB2 uses the bind behavior to process dynamic SQL statements.
Define behavior
When the package is run as or under a stored procedure or a user-defined function package, DB2 processes dynamic SQL statements by using the define behavior.
Invoke behavior
When the package is run as, or runs under, a stored procedure or a user-defined function package, DB2 processes dynamic SQL statements by using the invoke behavior.
Common attribute values for bind, define, and invoke behaviors
Certain attribute values apply to dynamic SQL statements in plans or packages that specify the bind, define, or invoke behavior.
Determining authorization IDs for dynamic SQL statements in routines
You can determine the authorization IDs under which dynamic SQL statements in routines run based on various factors. These factors include the ownership of the stored procedure or the stored procedure package.
Simplifying access authorization for routines
You can simplify authorization for routines in several ways without violating any of the authorization standards at your installation.
Using composite privileges
SQL statements that name more than one object require privileges on all of the tables included in the statement.
Performing multiple actions in one statement
A REBIND or FREE subcommand can name more than one plan or package. If no owner is named, the set of privileges that is associated with the primary ID, the associated role, and the secondary IDs must include the BIND privilege for each object.

Parent topic: Managing implicit privileges through routines