home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IT22589 Status: Closed

DB2AUDIT IS NOT REPORTING SQL0551N WHEN A USER WITH
INSUFFICIENTAUTHORIZATION ATTEMPTS TO CALL A PROCEDURE

product:
DB2 FOR LUW / DB2FORLUW / B10 - DB2
Problem description:
Steps to reproduce this issue: 
 
> db2 connect to sample user db2admin 
> db2 create table rvol.tab1 (id integer) in userspace1 
> db2 "create procedure rvol.proc1() begin insert into rvol.tab1 
values 
(1); end" 
 
 
> db2 create audit policy CHECKINGPOLICY categories checking 
status failure error type normal 
> db2 audit user test using policy CHECKINGPOLICY 
 
> db2 connect reset 
> db2 connect to sample user test 
 
 
> db2 select * from RVOL.tab1 
SQL0551N  The statement failed because the authorization ID does 
not 
have the required authorization or privilege to perform the 
operation. 
Authorization ID: "TEST".  Operation: "SELECT". Object: 
"RVOL.TAB1". 
SQLSTATE=42501 
 
> db2 call rvol.proc1() 
SQL0551N  The statement failed because the authorization ID does 
not 
have the required authorization or privilege to perform the 
operation. 
Authorization ID: "TEST".  Operation: "EXECUTE". Object: 
"RVOL.PROC1". SQLSTATE=42501 
 
> db2 connect reset 
 
 
 
> db2audit archive database sample to C:\temp\auditarchive 
 
> db2audit extract file C\temp\audit\audit.out  from files 
C\temp\auditarchive\* 
 
 
The audit.log does not show any entry for the second -551 error, 
the one 
on the stored procedure. 
 
We only get the info on the table : 
event status=-551; 
object type=TABLE; 
access approval reason=DENIED; 
... 
 
 
If we drop/recreate the audit, this time with option "checking 
status both", we also get the info on the stored proc in the 
audit.out : 
... 
event status=0; 
object type=STORED_PROCEDURE; 
access approval reason=DENIED; 
... 
 
 
The "event status=0" is obvious and surely explains why we do 
not get the event in the audit.log when the status option is set 
to "failure". 
 
Doc says "CREATE AUDIT POLICY statement" 
https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ib 
m.db2.luw.sql.ref.doc/doc/r0050607.html 
 
CHECKING 
    Generates records during authorization checking of attempts 
to 
access or manipulate database objects or functions. 
 
FAILURE 
    Only failing events will be audited. 
 
 
So, this SQL0551N on the call "call rvol.proc1()" should be 
picked up by the audit.
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* ALL                                                          * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See Error Description                                        * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to Db2 11.1 Mod 3 Fix Pack 3 or higher               * 
****************************************************************
Local Fix:
N/A
available fix packs:
Db2 Version 11.1 Mod 3 Fix Pack 3 for Linux, UNIX, and Windows
 Db2 Version 11.1 Mod3 Fix Pack3 iFix001 for Linux, UNIX, and Windows
 Db2 Version 11.1 Mod3 Fix Pack3 iFix002 for Linux, UNIX, and Windows
Solution
First fixed in Db2 11.1 Mod 3 Fix Pack 3
Workaround
not known / see Local fix
Timestamps
Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

29.09.2017
19.03.2018
19.03.2018
Problem solved at the following versions (IBM BugInfos)


Problem solved according to the fixlist(s) of the following version(s)