It's been a few decades so don't remember all the details, but pretty
sure we set up a naming convention for RACF groups unique to DB2
secondary authorization where the group name implied the authorized DB2
secondary authorization IDs, connected appropriate RACF userids to one
or more of those RACF groups, and the DB2 user exit was written to check
those RACF group associations of the RACF userid associated with the
request to determine what DB2 secondary authorization IDs to assign.
After initial setup, all authorizations were done via adding/removing
RACF groups to/from a userid.
JC Ewing
On 11/23/25 11:10 PM, Jon Perryman wrote:
On Mon, 24 Nov 2025 00:40:47 +0200, Binyamin Dissen
<[email protected]> wrote:
DB2 query - is there a way to give a specific permission for a user to SET
CURRENT SQLID to another user without special privileges? Something thru the
surrogate class?
I researched (never implemented) this for a project and found that DB2
secondary authorization id's are implemented through a DB2 user exit. Maybe
someone has used it but if not, the doc is
https://www.ibm.com/docs/en/db2-for-zos/13.0.0?topic=applications-using-secondary-ids-sign-requests
I suspect you could implement it using SUROGAT but I suspect there must be a
reason why IBM chose RACF groups. Hopefully someone has some real experience.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
--
Joel C Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
