IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Add a new idea Subscribe
Status Future consideration
Workspace Db2 for z/OS
Created by Guest
Created on Apr 3, 2023

RELATED IDEAS

Merged idea
This idea has been merged into another idea. To comment or vote on this idea, please visit DB24ZOS-I-1347 Expand the scope of TRANSFER OWNERSHIP DDL.

Specify OWNER for External Stored Procedures Merged

We use a CI/CD pipeline to create external stored procedures in all test environments and production. The pipeline use a single userID to create all objects, a user with as low privileges as possible and absolutely not SYSADM. When creating plans, packages and native stored procedures the pipeline sets the OWNER to a value that represents a RACF group belonging to the application involved. The CI/CD user can do that as you only need BINDAGENT privilege to set the OWNER. We use AUTHEXIT_CHECK=DB2 and that leads to privileges being verified against the OWNER of the plan, package or stored procedure.

For external stored procedures you cannot specify OWNER. The value is implicitly set to the value of CURRENT SQLID. To use SET CURRENT SQLID the value specified has to be a secondary authid for the user (or the user has to have high privileges). If the pipeline user get all the authids needed it gets too high privileges. Our work-around solution now is to use the same SQLID when creating all external stored procedures. The RACF group used for this has no privileges at all.

Why is this a problem to us? When the stored procedure executes a package the privileges are first checked against the owner of the stored procedure. If that owner does not have the privileges it is checked against the owner of SYSSTAT (or probably the plan if the stored procedure is called using static SQL). And if that fails too it is checked against the caller of the stored procedure. This means in our case that the caller has to have execute privilege on all the packages the are used by the stored procedure.

The other problem is that native stored procedures and external stored procedures are handled in different ways.

We suggest that the CREATE PROCEDURE statement for external stored procedures is enhanced with the OWNER keyword. We do not need the enhancement for external SQL procedures.

Needed By Quarter
  • Admin
    Janet Figone
    Reply
    |     Nov 7, 2023

    Martin, I merged this idea with DB24ZOS-I-1347.

  • Guest
    Reply
    |     Oct 5, 2023

    I am the one who registered this Aha Idea. After discussing it with IBM I recommend anyone thinking about voting for this to vote for DB24ZOS-I-1347 "Expand the scope of TRANSFER OWNERSHIP DDL" instead. That is a much better solution that solves more problems.

    @IBM You may close this Aha Idea stating "wont do" if you want to.

  • Admin
    Janet Figone
    Reply
    |     May 15, 2023

    Martin, Thank you. The SME reviewing this idea is aware of your update.

  • Guest
    Reply
    |     May 10, 2023

    I realised that I described a detail the wrong way. You cannot specify OWNER when creating a native stored procedure either. We need this enhancement for native stored procedures too.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.