An authorization ID is a character string that is obtained by
the database manager when a connection is established between the database
manager and either an application process or a program preparation
process. It designates a set of privileges. It may also
designate a user or a group of users, but this property is not controlled by
the database manager.
Authorization ID's apply to every statement and are used by the
database manager to provide:
- Implicit qualifiers for the names of tables, views, constraints, packages,
and indexes.
- Authorization checking of SQL statements
An authorization ID applies to every SQL statement. The implicit
qualification depends on whether you use static or dynamic SQL:
- For static SQL, the implicit qualifier is the owner of the program.
- For dynamic SQL, the implicit qualifier is the user running the
program.
The authorization ID that is used for authorization checking for a static
SQL statement depends on the USRPRF value specified on the precompiler
command:
- If USRPRF(*OWNER) is specified, or if USRPRF(*NAMING) is specified and SQL
naming mode is used, the authorization ID of the statement is the owner of the
non-distributed SQL program. For distributed SQL programs, it is the
owner of the SQL package.
- If USRPRF(*USER) is specified, or if USRPRF(*NAMING) is specified and
system naming mode is used, the authorization ID of the statement is the
authorization ID of the user running the non-distributed SQL program.
For distributed SQL programs, it is the authorization ID of the user at the
current server.
The authorization ID that is used for authorization checking for a dynamic
SQL statement also depends on where and how the statement is executed:
- If the statement is prepared and executed from a non-distributed
program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program. This is called the run-time authorization
ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
program, the authorization ID that applies is the ID of the owner of the
non-distributed program.
- If the statement is prepared and executed from a distributed
program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the SQL
package, the authorization ID that applies is the ID of the user running the
SQL package at the current server. This is also called the run-time
authorization ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the SQL
package, the authorization ID that applies is the ID of the user running the
SQL package at the current server.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
SQL package, the authorization ID that applies is the ID of the owner of the
SQL package at the current server.
- If the statement is issued interactively, the authorization ID that
applies is the ID of the user that issued the Start SQL (STRSQL)
command.
- If the statement is executed from the RUNSQLSTM command, the authorization
ID that applies is the ID of the user that issued the RUNSQLSTM
command.
- If the statement is executed from REXX, the authorization ID that applies
is the ID of the user that issued the STRREXPRC command.
On OS/400, the run-time authorization ID is the user profile of the
job.
An authorization-name specified in an SQL statement should not be
confused with the authorization ID of the statement. An
authorization-name is an identifier that is used in GRANT and REVOKE
statements to designate a target of the grant or revoke. The premise of
a grant of privileges X is that X will subsequently be
the authorization ID of statements which require those privileges. A
group user profile can also be used when checking authority for an SQL
statement. For information on group user profiles, see the book Security - Reference, SC41-5302-04 .
- Assume SMITH is your user ID; then SMITH is the authorization ID when
you execute the following statement interactively:
GRANT SELECT ON TDEPT TO KEENE
SMITH is the authorization ID of the statement. Thus, the
authority to execute the statement is checked against SMITH and SMITH is the
implicit qualifier of TDEPT.
KEENE is an authorization-name specified in the statement. KEENE is
given the SELECT privilege on SMITH.TDEPT.
- Assume SMITH has administrative authority and is the authorization ID of
the following statements:
DROP TABLE TDEPT
Removes the SMITH.TDEPT table.
DROP TABLE SMITH.TDEPT
Removes the SMITH.TDEPT table.
DROP TABLE KEENE.TDEPT
Removes the KEENE.TDEPT table.
[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]