RC/Query is using SYSADM when accessing remote objects via aliases.

Document ID : KB000045342
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

When using the Alias List Report (A-L) to access remote objects, RC/Query (RCQ) queries the remote subsystem using the SYSADM ID defined to the local subsystem. This can result in security violation messages depending on how security has been set up.

For example, the following Top Secret messages may be issued.

TSS7250E drc J=jobname A=acid TYPE=DB2SYS RESOURCE=SYSADM
TSS7251E Access Denied to DB2SYS <SYSADM> 
 

 

Cause

 

When generating the Alias List report for an alias of a remote object, RC/Query performs a second SQL query to determine if the base object exists on the remote subsystem. This dynamic SQL requires SELECT authority on the remote DB2 catalog tables. Most of the products require access to the DB2 catalog tables. Without SELECT authority on these tables, the products cannot retrieve the necessary DB2 data to confirm that the base object exists. 

 

Resolution: 

 

SELECT privilege should be sufficient for this second query to the remote subsystem.

 

If any violations persist then execute an Error Log Report for the appropriate Security product. 

 

For example, for Top Secret, executing a TSS Listing will assist in identifying which top secret privileges the user has and which are missing.