DB2 71 on NT Authorization Problem

Dimitris Margaritis

DB2 71 on NT Authorization Problem
Hi all,
I have just installed DB2 v 7.1 on my NT workstation using a local account1
from Administration Group. When I log on using another account2 on another
domain I have no the authorization to backup the sample database.
How can I give to account2 the SYSADM role?
Thanks



Shauna Hadden

Re: DB2 71 on NT Authorization Problem
(in response to Dimitris Margaritis)
I can only speak for the AIX world, but I am sure the NT one is similar. Go
into the Command Line Processor and do a get dbm cfg. What does it show
listed under SYSDBA, SYSCTRL and SYSMAINT groups? Is your second userid
defined to any of these groups? Each group has a different set of
roles/responsibilities.



Sibimon Philip

Authorization problem
(in response to Shauna Hadden)
To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi



Linda Billings

Re: Authorization problem
(in response to Sibimon Philip)
This is just a shot in the dark but are there any changes required for the
APPLID in VTAM with the merge to one LPAR? I know an APPLID has to be
defined for the DDF address space. Perhaps it is getting hosed there.

Just a thought,

Linda Billings
Enterprise Systems Programmer
Info-Tech Services
Department of Administration
State of Wisconsin

"The problem is not that there are problems. The problem is expecting
otherwise and thinking that having problems is a problem." - Theodore
Rubin


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 8:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi








Eric Pearson

Re: Authorization problem
(in response to Scott Trometer)
Did two RACF databases get replaced by one? This could be an issue if you
are
using the sample exit to exploit secondary authorization id processing.

Can you do three-part-name access via an ID which is defined as a SYSADM on
the destination system? If not, look for connection (TCP/IP ip address, VTAM
APPLID)
issues.

Are there any unusal messages coming from the DDF address spaces?

Can you do the SQL CONNECT TO statement? If not, a DDF connection problem is
strongly
indicated.



eric pearson
ITO DB2 support
[login to unmask email]


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi








Scott Trometer

Re: Authorization problem
(in response to David Ayers)
It sounds like you 'were' using DB2's DDF via system directed access. This
requires some entries in the DB2 Communication Database (V4 or less) or the
System catalog communication tables (V5 and up). This is how DB2 knows what
the location is when you use 3 part names.

I would check the communication tables to see if you lost a location name or
to see if the linkname changed for one of the locations...especially if the
standard was previously to name the linkname the same as the location
name(LPAR). Check Syslocations,Syslunames, Sysusernames on both
subsystems(remove the 'sys' tablename prefix if V5,6,or 7, e.g.
SYSIBM.LOCATIONS).

Regards,
Scott

-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi








David Ayers

Re: Authorization problem
(in response to Linda Billings)
sibi, are the tables granted "public at all locations" ?




"Billings, Linda" <[login to unmask email]>@RYCI.COM> on 11/20/2000
09:57:53 AM

Please respond to DB2 Data Base Discussion List <[login to unmask email]>

Sent by: DB2 Data Base Discussion List <[login to unmask email]>


To: [login to unmask email]
cc:

Subject: Re: Authorization problem

This is just a shot in the dark but are there any changes required for the
APPLID in VTAM with the merge to one LPAR? I know an APPLID has to be
defined for the DDF address space. Perhaps it is getting hosed there.

Just a thought,

Linda Billings
Enterprise Systems Programmer
Info-Tech Services
Department of Administration
State of Wisconsin

"The problem is not that there are problems. The problem is expecting
otherwise and thinking that having problems is a problem." - Theodore
Rubin


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 8:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi



the










RICHARD E MOLERA

Re: Authorization problem
(in response to Eric Pearson)
Sibi,

Glad that worked!

Unfortunately, there is no easy shortcut to the resolution of this issue (i.e.,
without granting "super" authority, like DBADM to public, at the database level)
.

Everytime a table is dropped and created, the GRANTS must be re-issued.

Take care,

Rick Molera

Mainframe DB2 DBA






"Philip, Sibimon" <[login to unmask email]> on 11/20/2000 09:53:16 AM

To: RICHARD E [login to unmask email]
cc:
Subject: RE: Authorization problem



Thanks you very much. It worked. Without granting this to each tables in the
TEST subsystem, is there any short cut to do this.



-----Original Message-----
From: RICHARD E MOLERA [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 08:44 AM
To: Philip, Sibimon
Subject: Re: Authorization problem





Sibi,

Did you grant to public "at all locations" ?

Example:

Grant select on creator.table to PUBLIC AT ALL LOCATIONS ;

Hope that helps and good luck!

Rick Molera

Mainframe DB2 DBA





"Philip, Sibimon" <[login to unmask email]> on 11/20/2000 09:40:48 AM

Please respond to DB2 Data Base Discussion List <[login to unmask email]>

To: [login to unmask email]
cc: (bcc: RICHARD E MOLERA/SallieMae)
Subject: Authorization problem



To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi








Sibimon Philip

Re: Authorization problem
(in response to RICHARD E MOLERA)
Thanks for all the reply.

1. ID with sysadm is able to do a select with 3 part name.
2. When I granted select access to public at all locations, all the user-ids
were able to use the 3 part names based on suggestion from the list.
3. We grant the access to RACF group, but I cannot use at all locations with
RACF group. So when I remove the public access, nobody is able to select
table.
4. This was working when DB2 subsystem was in two LPAR.

Thanks

-----Original Message-----
From: Pearson, Eric L, [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 08:59 AM
To: [login to unmask email]
Subject: Re: Authorization problem


Did two RACF databases get replaced by one? This could be an issue if you
are
using the sample exit to exploit secondary authorization id processing.

Can you do three-part-name access via an ID which is defined as a SYSADM on
the destination system? If not, look for connection (TCP/IP ip address, VTAM
APPLID)
issues.

Are there any unusal messages coming from the DDF address spaces?

Can you do the SQL CONNECT TO statement? If not, a DDF connection problem is
strongly
indicated.



eric pearson
ITO DB2 support
[login to unmask email]


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi













Ali Osman ERDEM

Re: Authorization problem
(in response to Linda Billings)
Please check <subsystem name>.DIST resource for READ access for failing auth
ids (external security definiton).

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1



Linda Billings

Re: Authorization problem
(in response to Sibimon Philip)
I am puzzled as to why this worked when you had this in two LPARs but not in
one LPAR. I would assume that all the DB2 required stuff would not need to
be changed in order to bring your system up on a different LPAR, that is, if
you have shared DASD. Operating system, security and networking stuff would
need to be changed though. I certainly hope that you didn't have to drop
and recreate your tables for a mere LPAR switch if that was how you lost
your authorities to the tables. Fallback would be a real pain. When I made
the VTAM APPLID suggestion that was my line of reasoning. Although, upon
further reflection, a different error message would probably have come up.

Linda Billings
Enterprise Systems Programmer
Info-Tech Services
Department of Administration
State of Wisconsin

"The problem is not that there are problems. The problem is expecting
otherwise and thinking that having problems is a problem." - Theodore
Rubin


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:20 AM
To: [login to unmask email]
Subject: Re: Authorization problem


Thanks for all the reply.

1. ID with sysadm is able to do a select with 3 part name.
2. When I granted select access to public at all locations, all the user-ids
were able to use the 3 part names based on suggestion from the list.
3. We grant the access to RACF group, but I cannot use at all locations with
RACF group. So when I remove the public access, nobody is able to select
table.
4. This was working when DB2 subsystem was in two LPAR.

Thanks

-----Original Message-----
From: Pearson, Eric L, [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 08:59 AM
To: [login to unmask email]
Subject: Re: Authorization problem


Did two RACF databases get replaced by one? This could be an issue if you
are
using the sample exit to exploit secondary authorization id processing.

Can you do three-part-name access via an ID which is defined as a SYSADM on
the destination system? If not, look for connection (TCP/IP ip address, VTAM
APPLID)
issues.

Are there any unusal messages coming from the DDF address spaces?

Can you do the SQL CONNECT TO statement? If not, a DDF connection problem is
strongly
indicated.



eric pearson
ITO DB2 support
[login to unmask email]


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi


















Roland Chua

Re: Authorization problem
(in response to Ali Osman ERDEM)
Did you amended any records in the SYSIBM.IPNAMES, or SYSIBM.LUNAMES or
SYSIBM.USERNAMES? Previously, do you do any ID translation?




"Philip, Sibimon" <[login to unmask email]>@RYCI.COM> on 20/11/2000 11:20:03
PM

Please respond to DB2 Data Base Discussion List <[login to unmask email]>

Sent by: DB2 Data Base Discussion List <[login to unmask email]>


To: [login to unmask email]
cc:

Subject: Re: Authorization problem


Thanks for all the reply.

1. ID with sysadm is able to do a select with 3 part name.
2. When I granted select access to public at all locations, all the
user-ids
were able to use the 3 part names based on suggestion from the list.
3. We grant the access to RACF group, but I cannot use at all locations
with
RACF group. So when I remove the public access, nobody is able to select
table.
4. This was working when DB2 subsystem was in two LPAR.

Thanks

-----Original Message-----
From: Pearson, Eric L, [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 08:59 AM
To: [login to unmask email]
Subject: Re: Authorization problem


Did two RACF databases get replaced by one? This could be an issue if you
are
using the sample exit to exploit secondary authorization id processing.

Can you do three-part-name access via an ID which is defined as a SYSADM on
the destination system? If not, look for connection (TCP/IP ip address,
VTAM
APPLID)
issues.

Are there any unusal messages coming from the DDF address spaces?

Can you do the SQL CONNECT TO statement? If not, a DDF connection problem
is
strongly
indicated.



eric pearson
ITO DB2 support
[login to unmask email]


-----Original Message-----
From: Philip, Sibimon [mailto:[login to unmask email]
Sent: Monday, November 20, 2000 9:41 AM
To: [login to unmask email]
Subject: Authorization problem


To all,

Past weekend we combine two LPAR to one LPAR. So now our test db2 subsystem
and production db2 subsystem is in one LPAR. Previously from one LPAR we
were able to select tables in the other LPAR using 3 part names. Now from
production DB2 QMF we are not able to access TEST DB2 tables using 3 part
name. It is giving -551 even though public has the select access on the
table.

Any idea about this.


Thanks to all in this list for all the answers for my questions.


Regards...Sibi



the





the










Confidentiality Caution
=======================
Priviledged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone. In such case, you should destroy this message and kindly
notify the sender by reply email. Opinions, conclusions and other
information in this message that is not of an official nature shall be
deemed as neither given nor endorsed by SGX unless indicated by an
authorised representative independent of this message.



Nadir Doctor

FW: DB2 71 on NT Authorization Problem
(in response to Roland Chua)
ndr

-----Original Message-----
From: Dimitris Margaritis [mailto:[login to unmask email]
Sent: Sunday, October 15, 2000 7:10 AM
To: [login to unmask email]
Subject: DB2 71 on NT Authorization Problem


Hi all,
I have just installed DB2 v 7.1 on my NT workstation using a local account1
from Administration Group. When I log on using another account2 on another
domain I have no the authorization to backup the sample database.
How can I give to account2 the SYSADM role?
Thanks








Jeremy Dodd

Re: FW: DB2 71 on NT Authorization Problem
(in response to Nadir Doctor)
As the account1 you need to update the dbm cfg with appropriate groups for sysadm_group etc. You can then assign your other users into those groups. They will then have the authorisation.

Jeremy


"Doctor, Nadir" wrote:

> ndr
>
> -----Original Message-----
> From: Dimitris Margaritis [mailto:[login to unmask email]
> Sent: Sunday, October 15, 2000 7:10 AM
> To: [login to unmask email]
> Subject: DB2 71 on NT Authorization Problem
>
> Hi all,
> I have just installed DB2 v 7.1 on my NT workstation using a local account1
> from Administration Group. When I log on using another account2 on another
> domain I have no the authorization to backup the sample database.
> How can I give to account2 the SYSADM role?
> Thanks
>
>
>
>
>
>
>
>