An authorization ID is a character string that is
obtained by the database manager when a connection is established
between the database manager and either an application process or
a program preparation process. It designates a set of privileges.
It may also designate a user or a group of users, but this property
is not controlled by the database manager.
After a connection has been established, the authorization
ID may be changed using the SET SESSION AUTHORIZATION statement.
Authorization ID's are used by the database manager to
provide authorization checking of SQL statements.
An authorization ID applies to every SQL statement. The
authorization ID that is used for authorization checking for a static
SQL statement depends on the USRPRF value specified on the precompiler
command:
- If USRPRF(*OWNER) is specified, or if USRPRF(*NAMING) is specified
and SQL naming mode is used, the authorization ID of the statement
is the owner of the non-distributed SQL program. For distributed SQL
programs, it is the owner of the SQL package.
- If USRPRF(*USER) is specified, or if USRPRF(*NAMING) is specified
and system naming mode is used, the authorization ID of the statement
is the authorization ID of the user running the non-distributed SQL
program. For distributed SQL programs, it is the authorization ID
of the user at the current server.
The authorization ID that is used for authorization checking
for a dynamic SQL statement also depends on where and how the statement
is executed:
- If the statement is prepared and executed from a non-distributed
program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER
for the program, the authorization ID that applies is the ID of the
user running the non-distributed program. This is called the run-time
authorization ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER
for the program, the authorization ID that applies is the ID of the
user running the non-distributed program.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER
for the program, the authorization ID that applies is the ID of the
owner of the non-distributed program.
- If the statement is prepared and executed from a distributed program:
- If the USRPRF value is *USER and the DYNUSRPRF value is *USER
for the SQL package, the authorization ID that applies is the ID of
the user running the SQL package at the current server. This is also
called the run-time authorization ID.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *USER
for the SQL package, the authorization ID that applies is the ID of
the user running the SQL package at the current server.
- If the USRPRF value is *OWNER and the DYNUSRPRF value is *OWNER
for the SQL package, the authorization ID that applies is the ID of
the owner of the SQL package at the current server.
- If the statement is issued interactively, the authorization ID
that applies is the ID of the user that issued the Start SQL (STRSQL)
command.
- If the statement is executed from the RUNSQLSTM command, the authorization
ID that applies is the ID of the user that issued the RUNSQLSTM command.
- If the statement is executed from REXX, the authorization ID that applies is the
ID of the user that issued the STRREXPRC command.
On
the IBM® i operating
system, the run-time authorization ID is the user profile of the job.
An authorization-name specified in an SQL statement
should not be confused with the authorization ID of the statement.
An authorization-name is an identifier that is used in GRANT and REVOKE
statements to designate a target of the grant or revoke. The premise
of a grant of privileges to X is that X will subsequently
be the authorization ID of statements which require those privileges.
A group user profile can also be used when checking authority for
an SQL statement. For information about group user profiles, see Security
Reference.
Example
Assume SMITH is your user ID; then
SMITH is the authorization ID when you execute the following statement
interactively:
GRANT SELECT ON TDEPT TO KEENE
SMITH
is the authorization ID of the statement. Thus, the authority to execute
the statement is checked against SMITH.
KEENE is an authorization-name
specified in the statement. KEENE is given the SELECT privilege on
SMITH.TDEPT.