Re: STRSQL, CREATE TRIGGER results in SQL0552 -- MIDRANGE-L

Not a PTF issue.

It's because the CREATE TRIGGER statement contains "secured".

DSPMSGD RANGE(SQL0552) MSGF(QSQLMSG)
-- CREATE, ALTER, DROP, LABEL ON and COMMENT ON of a MASK or PERMISSION

requires that the authorization ID associated with the statement be
authorized to the QIBM_DB_SECADM function. The same authorization is
required to RENAME, DROP or delete an object that is referenced by a mask
or
permission and to CREATE, DROP, or ALTER a secure TRIGGER or FUNCTION.

The key being:
CREATE, ... a secure TRIGGER ...
and
...authorized to the QIBM_DB_SECADM function

WRKFCNUSG FCNID(QIBM_DB_SECADM)
On one lpar I noticed
Function ID . . . . . . : QIBM_DB_SECADM
Function name . . . . . : Database Security Administrator

Description . . . . . . : Database Security Administrator Functions

Product . . . . . . . . : QIBM_BASE_OPERATING_SYSTEM
Group . . . . . . . . . : QIBM_DB

Default authority . . . . . . . . . . . . : *DENIED
*ALLOBJ special authority . . . . . . . . : *NOTUSED

User Type Usage User Type Usage
ROB User *ALLOWED

The machine where it didn't work I noticed no ROB. So I ran:
CHGFCNUSG FCNID(QIBM_DB_SECADM) USER(ROB) USAGE(*ALLOWED)

If you are running in an HA environment I strongly suggest you add your HA
vendor's profile. On all affected LPARs

It's a "separation of duties" thing. Why should someone, just because
they have *ALLOBJ, *SECADM, etc, be allowed to remove a "secured" trigger
from a file to do questionable maintenance and then add the trigger back
on?

Rob Berendt

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.