Unanswered: db2profc, Privileges granted to groups are not used for authorization checking
during bind of static sqls from java-application against our ZOS DB2 V7 we receive -551.
The problem is quiet clear. Every programmer uses his own ID to bind "his" package to "his" user-Collection within our test-environment. During bind process of static sql all db2-authorization needed to perform the required sqls within the bnd-file are checked for the binder-ID, which includes insert, update etc on each table used.
We´ve granted those authorization on (racf)group-level. I found this in command-Reference:
db2profc - DB2 SQLJ Profile Customizer
Processes an SQLJ profile containing embedded SQL statements. By default, a DB2 package is created in the database; this utility augments the profile with DB2-specific information for use at run time. This utility should be run after the SQLJ application has been translated, but before the application is run.
One of the following:
sysadm or dbadm authority
BINDADD privilege if a package does not exist, and one of:
IMPLICIT_SCHEMA authority on the database if the schema name of the package does not exist
CREATEIN privilege on the schema if the schema name of the package exists
ALTERIN privilege on the schema if the package exists
BIND privilege on the package if it exists.
The user also needs all privileges required to compile any static SQL statements in the application.
Privileges granted to groups are not used for authorization checking of static statements.
Bindadd and packadm-priviliges are granted to each developer.
We don´t want to grant some kind of adm authorizations nor grant table-authorization to public.
Is there a way to tell db2profc to check gróup authorizations by some kind of customization ?