DB2 - Problem description
Problem IT21177 | Status: Closed |
DB2AUDIT IS NOT REPORTING SQL0551N WHEN A USER WITH INSUFFICIENTAUTHORIZATION ATTEMPTS TO CALL A PROCEDURE | |
product: | |
DB2 FOR LUW / DB2FORLUW / A50 - DB2 | |
Problem description: | |
Steps to reproduce this issue: > db2 connect to sample user db2admin > db2 create table rvol.tab1 (id integer) in userspace1 > db2 "create procedure rvol.proc1() begin insert into rvol.tab1 values (1); end" > db2 create audit policy CHECKINGPOLICY categories checking status failure error type normal > db2 audit user test using policy CHECKINGPOLICY > db2 connect reset > db2 connect to sample user test > db2 select * from RVOL.tab1 SQL0551N The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "TEST". Operation: "SELECT". Object: "RVOL.TAB1". SQLSTATE=42501 > db2 call rvol.proc1() SQL0551N The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "TEST". Operation: "EXECUTE". Object: "RVOL.PROC1". SQLSTATE=42501 > db2 connect reset > db2audit archive database sample to C:\temp\auditarchive > db2audit extract file C\temp\audit\audit.out from files C\temp\auditarchive\* The audit.log does not show any entry for the second -551 error, the one on the stored procedure. We only get the info on the table : event status=-551; object type=TABLE; access approval reason=DENIED; ... If we drop/recreate the audit, this time with option "checking status both", we also get the info on the stored proc in the audit.out : ... event status=0; object type=STORED_PROCEDURE; access approval reason=DENIED; ... The "event status=0" is obvious and surely explains why we do not get the event in the audit.log when the status option is set to "failure". Doc says "CREATE AUDIT POLICY statement" https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ib m.db2.luw.sql.ref.doc/doc/r0050607.html CHECKING Generates records during authorization checking of attempts to access or manipulate database objects or functions. FAILURE Only failing events will be audited. So, this SQL0551N on the call "call rvol.proc1()" should be picked up by the audit. | |
Problem Summary: | |
**************************************************************** * USERS AFFECTED: * * ALL * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to Db2 10.5 Fix Pack 9 or higher * **************************************************************** | |
Local Fix: | |
N/A | |
Solution | |
First fixed in Db2 10.5 Fix Pack 9 | |
Workaround | |
not known / see Local fix | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 26.06.2017 29.09.2017 29.09.2017 |
Problem solved at the following versions (IBM BugInfos) | |
9.0. | |
Problem solved according to the fixlist(s) of the following version(s) |