JC your description is best practice and perfect for segregation of duties and responsibilities.
Binyamin, can you tell us what you’re trying to do, in operational terms? On Mon, Nov 24, 2025 at 10:42 AM Joel Ewing < [email protected]> wrote: > It's been a few decades so don't remember all the details, but pretty > sure we set up a naming convention for RACF groups unique to DB2 > secondary authorization where the group name implied the authorized DB2 > secondary authorization IDs, connected appropriate RACF userids to one > or more of those RACF groups, and the DB2 user exit was written to check > those RACF group associations of the RACF userid associated with the > request to determine what DB2 secondary authorization IDs to assign. > After initial setup, all authorizations were done via adding/removing > RACF groups to/from a userid. > > JC Ewing > > On 11/23/25 11:10 PM, Jon Perryman wrote: > > On Mon, 24 Nov 2025 00:40:47 +0200, Binyamin Dissen < > [email protected]> wrote: > > > >> DB2 query - is there a way to give a specific permission for a user to > SET > >> CURRENT SQLID to another user without special privileges? Something > thru the > >> surrogate class? > > I researched (never implemented) this for a project and found that DB2 > secondary authorization id's are implemented through a DB2 user exit. Maybe > someone has used it but if not, the doc is > https://www.ibm.com/docs/en/db2-for-zos/13.0.0?topic=applications-using-secondary-ids-sign-requests > > > > I suspect you could implement it using SUROGAT but I suspect there must > be a reason why IBM chose RACF groups. Hopefully someone has some real > experience. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > -- > Joel C Ewing > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
