I was at a customer and we had access to a break glass userid to fix a problem in production. An audit record was written for every thing this userid did. Perhaps have a second userid (as suggested) and log what it changes
Colin On Mon, 24 Nov 2025 at 15:16, Thomas Berg < [email protected]> wrote: > During a period until retirement I had two userids. Maybe that would be > the solution. > (This was because I handled the maintenance etc of the developememt > environment and needed a userid that had "normal" permissions to test it > from a user perspective as I had too much permissions to do that > realistically.) > > > Thomas Berg > > > > "I wash off the hatred of my enemies and the greed and wrath of powerful > people." > > “I clearly saw the skeleton underneath all this show of personality. What > is left of a man and all his pride but bones?” > > Den mån 24 nov. 2025 13:07Binyamin Dissen < > [email protected]> skrev: > > > I wanted a drop in solution with just RACF & DB2 commands. Doesn't look > > like > > it exists. > > > > On Sun, 23 Nov 2025 23:10:10 -0600 Jon Perryman <[email protected]> > > wrote: > > > > :>On Mon, 24 Nov 2025 00:40:47 +0200, Binyamin Dissen < > > [email protected]> wrote: > > > > :>>DB2 query - is there a way to give a specific permission for a user to > > SET > > :>>CURRENT SQLID to another user without special privileges? Something > > thru the > > :>>surrogate class? > > > > :>I researched (never implemented) this for a project and found that DB2 > > secondary authorization id's are implemented through a DB2 user exit. > Maybe > > someone has used it but if not, the doc is > > > https://www.ibm.com/docs/en/db2-for-zos/13.0.0?topic=applications-using-secondary-ids-sign-requests > > > > :>I suspect you could implement it using SUROGAT but I suspect there must > > be a reason why IBM chose RACF groups. Hopefully someone has some real > > experience. > > > > -- > > Binyamin Dissen <[email protected]> > > http://www.dissensoftware.com > > > > Director, Dissen Software, Bar & Grill - Israel > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
