List Digest, Jun 03, 2019

Jim Rice

List Digest, Jun 03, 2019
In my post yesterday I meant to say the CREATOR , not the owner id did not exist when the package was created.


From: DB2 - L <[login to unmask email]>
Sent: Tuesday, June 04, 2019 3:03 AM
To: [login to unmask email]
Subject: [DB2-L] - List Digest, Jun 03, 2019

EXTERNAL MAIL: Caution Opening Links or Files


The following posts were made on Jun 03, 2019

1. [EXTERNAL] ADMIN_COMMAND_DB2 IFI security [z/OS v12] - (Troy Zinderman)
2. RE: db2luw upgrade db2v11 getting error - (Greg Palgrave)
3. Conversion of depricated mult-table table spaces to UTS - (Daniel Luksetich)
4. SQLCODE -923 - (Manikandan Govindaraj)
5. SQLCODE -923 - (John Bucaria)
6. RE: SQLCODE -923 - (Manikandan Govindaraj)
7. SQLCODE -923 - (John Bucaria)
8. SQLCODE -923 - (Ray Janes)
9. Package Creator - (Jim Rice)
1. [EXTERNAL] ADMIN_COMMAND_DB2 IFI security [z/OS v12] (Troy Zinderman<mailto:[login to unmask email]>)
From: Troy Zinderman
Subject: [EXTERNAL] ADMIN_COMMAND_DB2 IFI security [z/OS v12]
Sorry, not too versed on the security terms in general. We are a CA Top Secret shop and I don't dive too deep (I don't have TS admin role here).

A window process (e.g., C# program on a distributed server) will be calling a native SP running on z/OS. That native procedure then calls the ADMIN_COMMAND_DB2 procedure to send commands. We want the window's process only to have EXECUTE on the native procedure code. The owner/creator of the native procedure should have the authority to call and execute commands under the ADMIN_COMMAND_DB2 procedure. Native procedure code is managing which tablespace(s) to place into different access modes.

So, I believe I am trying to get the S1ID. The owner of the procedure need the auth to call ADMIN_COMMAND_DB2 to send the commands. I will try changing the call to dynamic. No clue if we did re-assembled the authorization and sign on exits since V10. Will have to check.


From: James Campbell <[login to unmask email]<mailto:[login to unmask email]>>
Sent: Sunday, June 2, 2019 6:41 AM
To: [login to unmask email]<mailto:[login to unmask email]>
Subject: [EXTERNAL] [DB2-L] - RE: ADMIN_COMMAND_DB2 IFI security [z/OS v12]

I am not sure what you mean by "secondary authorization".

Since there seems to be various players here, let me try to nail them down:

- end user. This might be a person or a CICS, etc program. When it makes a connection to Db2 the authorization or signon exit will assign a primary id (usually a user's id or something the CICS RCT sets up). The exit might also supply one or more secondary authids. Call these PID, S1ID, S2ID etc

- the user executes a program, which calls a stored procedure - "native procedure" below - created with PACKAGE OWNER SPOID. (In this context, SPOID has no secondary authids - although it might in others.)

- "native procedure" calls SYSPROC.ADMIN_COMMAND_DB2 .

You want ADMIN_COMMAND_DB2 to use SPOID for authorisation, but it is rejecting the commands because PID isn't authorised.


If so, "secondary authorization permissions" means S1ID, S2ID etc - not SPOID. I'd suggest
- make "native procedure"'s call to SYSPROC.ADMIN_COMMAND_DB2 dynamic
- create "native procedure" with DYNAMICRULES DEFINEBIND

If not, and you really do want S1ID (or S2ID ...) to be used (and are using RACF), have you re-assembled the authorisation and sign on exits since V10? There were changes to support push through of secondary authids for stored procedures. It is possible that SYSPROC.ADMIN_COMMAND_DB2 requires them (SYSPROC.DSNUTILS certainly does).

If you mean a secondary authid of SPOID then you are out of luck. It doesn't have any. Secondary authids are created when an id goes through the sign on or connection exit. Since SPOID doesn't go through those exits (in this context), it doesn't get secondary authid's.

James Campbell

On 31 May 2019 at 16:37, Zinderman, Troy wrote:

> Hi folks,
> Is it possible to call the SYSPROC.ADMIN_COMMAND_DB2 procedure and have secondary
> authorization permissions push all the way down to the Instrumentation Facility Interface?
> I am testing where we want to constrain a process to a semi-specific set of tablespaces (via a
> native procedure). That procedure is calling the ADMIN_COMMAND_DB2 to place the
> tablespaces in RO or RW. However, the ADMIN_COMMAND_DB2 returns a DSNT300I saying the
> auth-id is not authorized to perform that function. We want the creator/owner of the native
> procedure to have the permissions to execute the Db2 Command, not the calling primary
> auth-id. But it seems that when ADMIN_COMMAND_DB2 is sending the commands down to IFI,
> it's using the primary auth-id, not the secondary.
> I have tried some combinations of the DYNAMICRULES parameters in the definition. However, I
> get no luck on any of them picking up the creators auth over the caller's. Just wondering if this is
> even possible.
> Troy Zinderman
> Division of Database Systems
> Office of Systems Architecture
> U.S. Social Security Administration
> Office: 410-965-7328
> Cell: 443-761-3655

[] [] []

Virus-free. []

-----End Original Message-----
-----End Original Message-----