When issuing DB2 operator commands from the z/OS console fail with DSN9016I 'xxxx xxx' COMMAND REJECTED, UNAUTHORIZED REQUEST, what causes this?

Document ID : KB000011486
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

When issuing DB2 operator commands from the z/OS console fail with DSN9016I 'xxxx xxx' COMMAND REJECTED, UNAUTHORIZED REQUEST, what causes this?

For example:

DSN9016I +DB2C '-DIS THD' COMMAND REJECTED, UNAUTHORIZED REQUEST 
DSN9023I +DB2C DSN9SCND '-DIS THD' ABNORMAL COMPLETION 

Answer:

The most likely cause of the errors are a validation at the console for  *BYPASS* to have the authority to
issue the command. An ACF2 SECTRACE would show a VERIFY CREATE for userid *BYPASS*.

*BYPASS* is a standard z/OS default assigned when no other id (not even a  batch default) is available to
satisfy a signon request (a VERIFY call). In this case the VERIFY call is being made from DB2 in response
to a DB2 console  command. DB2 wants to make a check for SYSOPR against an id. Since no id is available,
z/OS plugs in *BYPASS*. 

One solution to the use of *BYPASS* would be to set SIGNON(REQUIRED) in the CONSOLXX member of
SYS1.PARMLIB and require that your consoles be signed on. In that way, there would always be a valid
userid assigned to the console  and that is the id that would be checked for SYSOPR authority.                 

Another solution to address the problem would be for sites to add a grant in DB2 for *BYPASS* with
SYSOPR authority.

GRANT SYSOPR TO "BYPASS*"

NOTE:  The USERID requires double quotes around it in order to protect the asterisks