An authorization ID is a character string that
is obtained by the database manager when a connection is established between
the database manager and either an application process or a program preparation
process. It designates a set of privileges. It may also designate a user or
a group of users, but this property is not controlled by the database manager.
After a connection has been established, the authorization ID
may be changed using the SET SESSION AUTHORIZATION statement.
Authorization ID's are used by the database manager to provide authorization
checking of SQL statements.
An authorization ID applies to every SQL statement. The authorization ID
that is used for authorization checking for a static SQL statement depends
on the USRPRF value specified on the precompiler command:
- If USRPRF(*OWNER) is specified, or if USRPRF(*NAMING) is specified and
SQL naming mode is used, the authorization ID of the statement is the owner
of the non-distributed SQL program. For distributed SQL programs, it is the
owner of the SQL package.
- If USRPRF(*USER) is specified, or if USRPRF(*NAMING) is specified and
system naming mode is used, the authorization ID of the statement is the authorization
ID of the user running the non-distributed SQL program. For distributed SQL
programs, it is the authorization ID of the user at the current server.
The authorization ID that is used for authorization checking for a dynamic
SQL statement also depends on where and how the statement is executed:
- If the statement is prepared and executed from a non-distributed program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program. This is called the run-time authorization
ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
program, the authorization ID that applies is the ID of the user running the
non-distributed program.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
program, the authorization ID that applies is the ID of the owner of the non-distributed
program.
- If the statement is prepared and executed from a distributed program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER for the
SQL package, the authorization ID that applies is the ID of the user running
the SQL package at the current server. This is also called the run-time authorization
ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER for the
SQL package, the authorization ID that applies is the ID of the user running
the SQL package at the current server.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER for the
SQL package, the authorization ID that applies is the ID of the owner of the
SQL package at the current server.
- If the statement is issued interactively, the authorization ID that applies
is the ID of the user that issued the Start SQL (STRSQL) command.
- If the statement is executed from the RUNSQLSTM command, the authorization
ID that applies is the ID of the user that issued the RUNSQLSTM command.
- If the statement is executed from REXX, the authorization ID that applies
is the ID of the user that issued the STRREXPRC command.
On i5/OS, the run-time authorization ID is the user profile of the job.
An authorization-name specified in an SQL statement
should not be confused with the authorization ID of the statement. An authorization-name
is an identifier that is used in GRANT and REVOKE statements to designate
a target of the grant or revoke. The premise of a grant of privileges to X is that X will subsequently
be the authorization ID of statements which require those privileges. A group
user profile can also be used when checking authority for an SQL statement.
For information on group user profiles, see the book iSeries Security Reference
.
Assume SMITH is your user ID; then SMITH is the authorization ID when you
execute the following statement interactively:
GRANT SELECT ON TDEPT TO KEENE
SMITH is the authorization
ID of the statement. Thus, the authority to execute the statement is checked
against SMITH.
KEENE is an authorization-name specified in the statement. KEENE is given
the SELECT privilege on SMITH.TDEPT.
[ Top of Page | Previous Page | Next Page | Contents |
Index ]