DB2 for z/OS trusted context woes

Jørn Thyssen

DB2 for z/OS trusted context woes

Dear list,

Is anyone familar with DB2 trusted contexts?

I am creating a new role and a trusted context, and granting SYSADM to the role:

CREATE ROLE ROLE5941;                                        
CREATE TRUSTED CONTEXT TC5941                                
   BASED UPON CONNECTION USING SYSTEM AUTHID TS5941B         
   DEFAULT ROLE ROLE5941                                     
   WITH ROLE AS OBJECT OWNER AND QUALIFIER                   
   ENABLE                                                    
   NO DEFAULT SECURITY LABEL                                 
   ATTRIBUTES (                                              
      JOBNAME 'TS5941BT',                                    
      JOBNAME 'TS5941B'                                      
   )                                                         
   WITH USE FOR TS5941B                                      
   ROLE ROLE5941                                             
   WITHOUT AUTHENTICATION ;                                  
GRANT SYSADM TO ROLE5941;                                    

With my user TS5941B I now run:
CREATE TABLE TESTTC7 ( KEY INTEGER );
and it completes with SQLCODE 0, and the table is created:
Schema ROLE5941 and owner ROLE5941, and owner type 'Role'
So my trusted context clearly works.

Now I want to do a BIND:

BIND PACKAGE(TS5941BCOL)     
  MEM(DSNESM68)              
  LIB('DSN.VB10.SDSNDBRM')   
  SQLERROR(NOPACKAGE)        
  VALID(R)                   
  ISOL(CS)                   
  CURRENTD(N)                
  EXPL(NO)                   
  ACTION(REPLACE)            
  DEGREE(ANY)                
  KEEPDYNAMIC(N)             
  REOPT(NONE)                
  ENCODING(37)               
  IMMEDWRITE(I)              
  ROUNDING(HALFEVEN)         
  BUSTIMESENSITIVE(YES)      
  SYSTIMESENSITIVE(YES)      
  APPLCOMPAT(V11R1)        

  but I get:
 
 DSNT235I  !L7BB DSNTBCM2 BIND AUTHORIZATION ERROR                       
            USING ROLE: ROLE5941 AUTHORITY                               
            PACKAGE = RS22L7BB.TS5941BCOL.DSNESM68.(UK92200)             
            PRIVILEGE = BINDADD                                          
 DSNT233I  !L7BB UNSUCCESSFUL BIND FOR                                   
            PACKAGE = RS22L7BB.TS5941BCOL.DSNESM68.(UK92200)               
            
Again, the trusted context and role is being picked up, but it fails even though the role
has SYSADM authority.

I also tried an UNLOAD started from a batch job with jobname TS5941BT and I get

DSNU000I    230 03:13:58.41 DSNUGUTC - OUTPUT START FOR UTILITY, UTILID = TS5941B.TS5941BT                       
DSNU1044I   230 03:13:58.41 DSNUGTIS - PROCESSING SYSIN AS EBCDIC                                                
DSNU050I    230 03:13:58.41 DSNUGUTC -  TEMPLATE UTLPUNCH DSN 'TS5941B.L7BB.CNTL.TEST35D.TEST35S1' UNIT SYSDA    
DSNU1035I   230 03:13:58.41 DSNUJTDR - TEMPLATE STATEMENT PROCESSED SUCCESSFULLY                                 
DSNU050I    230 03:13:58.41 DSNUGUTC -  TEMPLATE UTLREC DSN 'TS5941B.L7BB.UNLD.TEST35D.TEST35S1' UNIT SYSDA      
DSNU1035I   230 03:13:58.41 DSNUJTDR - TEMPLATE STATEMENT PROCESSED SUCCESSFULLY                                 
DSNU050I    230 03:13:58.42 DSNUGUTC -  UNLOAD TABLESPACE "TEST35D"."TEST35S1"                                   
DSNU073I  !L7BB 230 03:13:58.42 DSNUUUFA - KEYWORD 'SPANNED YES' IGNORED                                         
DSNU1253I !L7BB 230 03:13:58.42 DSNUULIA - USER TS5941B DOES NOT HAVE SELECT PRIVILEGE                           
ON TABLE TS5941.TEST35T1, IN TABLESPACE TEST35D.TEST35S1                                                         
DSNU012I    230 03:13:58.42 DSNUGBAC - UTILITY EXECUTION TERMINATED, HIGHEST RETURN CODE=8

 

Best regards,

Jørn Thyssen

Rocket Software
77 Fourth Avenue • Waltham, MA • 02451 • USA
E: [login to unmask email] • W: www.rocketsoftware.com 

Views are personal. 

Jørn Thyssen

RE: DB2 for z/OS trusted context woes
(in response to Jørn Thyssen)

Solution:
GRANT SYSADM TO ROLE ROLE5941; 

 

Best regards,

Jørn Thyssen

Rocket Software
77 Fourth Avenue • Waltham, MA • 02451 • USA
E: [login to unmask email] • W: www.rocketsoftware.com 

Views are personal.