Db2 – How to i give SECADM to instance owner in DB2

db2permissions

i'm using db2 9.7 on linux and created a user "db2fee1i" to be a instance owner. I restored a database, but even being SYSADM i only can connect to database. I need to give DATAACCESS to another user, and even doing a query appears…

The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it
returned: SQL0551N "DB2FEE1I" does not have the required authorization
or privilege to perform operation "EXECUTE" on object
"NULLID.SQLC2H23". SQLSTATE=42501

I tryed everything but nothing solves my problem, now i found "SECADM" that can give me the "privileges to execute" into database, but i dont know how to do it. Someone can help me?!

Best Answer

Under 9.7, whichever ID creates the database is automatically granted DBADM WITH DATAACCESS WITH ACCESSCTRL and SECADM.

So you should be able to log in to the databases with that ID to perform the grants you need. If this came from another environment, you may have to create the ID locally in order to get into the database. Only an ID with SECADM can grant SECADM to another ID. And also with 9.7, you cannot GRANT to or REVOKE from yourself.

Now...as to your problem.....when you do not have EXECUTE on a NULLID package, then you may either need to perform a BIND of the appropriate bind file, or grant EXECUTE on that package. If it is a system package that pretty much everyone can use, you can always GRANT EXECUTE ON PACKAGE NULLID.SQLC2H23 TO PUBLIC.

Related Solutions

How to Grant All Privileges to Local db2admin with DB2 9.7 on Windows

Based on the last above links in my edit to my question I found my answer. I cannot tweak the system account since our logons to our system are from an LDAP and I cannot control the groups and what not.

So I did the following:

Opened the DB2 GUI (was easiest to do this way).
Connected to the desired database as db2admin.
Added my logon to the database as a user.
GRANT all authorities to that id (my id).
Disconnect.
Connect to the desired database as my id.
GRANT all authorities to db2admin.
Disconnect.

Voila! The db2admin logon now as all authorities.

EDIT: I'm going to leave the above as it helped me learn how to do some interesting stuff in DB2. However, I have learned that the DBADM/SECADM with DATAACCESS and ACCESSCTRL authorities granted the instance owner (in my case the db2admin id) have all the authority needed to interact with the database. I could have actually just commented out those grant lines above in the script. Those were left over from a script which ran against an older version of DB2. I have also found if I need to have the instance owner DBADM after doing a restore to database A from database B, it is easiest just to set the registry variable DB2_RESTORE_GRANT_ADMIN_AUTHORITY to YES (available in Fix Pack 2 and above). Then I don't have to try to grant instance owner DBADM. It automatically is granted that to any database restored into the instance. If you are not at Fix Pack 5, you have to bounce the instance for this to take affect.

Db2 – How to grant all privileges on all tables in a schema to a user in IBM DB2

If you want access to all data (ie, all tables in all schemas), you would need to grant dataaccess.

db2 grant dataaccess on database to user winuser1

If you only want winuser1 to access just the 100 tables in the schema you are referring to, then unfortunately, there is no easy way, you would need to grant SELECT on each table. That being said, it can be accomplished through scripting.

You could do the following

db2 -tnx "select distinct 'GRANT ALL ON TABLE '||
    '\"'||rtrim(tabschema)||'\".\"'||rtrim(tabname)||'\" TO USER winuser1;'
    from syscat.tables
    where tabschema = 'myschema' "  >> grants.sql

db2 -tvf grants.sql

This makes use of querying the system catalogs to dynamically generate a script to permission things. This is a lot of how we permission for users we don't want to give dataaccess to.

Here is a good page of the authorities for DB2.

Best Answer

Related Solutions

How to Grant All Privileges to Local db2admin with DB2 9.7 on Windows

Db2 – How to grant all privileges on all tables in a schema to a user in IBM DB2

Related Question