In DB2 the value of special register CURRENT SQLID determines what you are allowed to do. You can issue a SELECT CURRENT SQLID FROM SYSIBM.SYSDUMMY1 to determine the value of your CURRENT SQLID. In a program using static SQL you can use an EXEC SQL SET :hostvar = CURRENT SQLID to get the same value.

When you have found the value of your CURRENT SQLID then you can make queries against the DB2 catalogoue tables with the suffix AUTH in order to determine what you are allowed to do. Your WHERE clause must include the predicate GRANTEE = the current sqlid.

The highest normal level of authorization in DB2 is called SYSADM. If your CURRENT SQLID is granted this privilege you can change the CURRENT SQLID to any other SQLID by issuing a SET CURRENT SQLID = something. It is possible to allow other SQLID's to change their SQLID's, but only if the system programmers at your installation has manipulated the two security exits in DB2. One of the exits is called the signon exit (DSN3@SGN) and the other is called the connection exit (DSN3@ATH). IBM has made a sample of each of these two exits. Some installations uses these two samples as is. They allow most users to change their CURRENT SQLID but only to a set of well defined values.

When you can change CURRENT SQLID and you are not SYSADM then there is no way in DB2 to see what values you are allowed to change to. Only the security exits knows this. This is because the security exits gains control before there is established any connection to DB2. In order to carry out a SQL statement you have to have a CURRENT SQLID and therefore you cannot query DB2 about your possible SQLID values, otherwise you would get access to DB2 without any identification. Therefore the two security exits must rely on other sources in order to validate a change in SQLID. The samples uses RACF, but it is possible to use other sources except DB2 itself.

If you want to know what SQLID's you are allowed to change to and you are not SYSADM, you have to know how the security exits works at your installation. This sounds pretty simple, but usually it isn't. There is definately room for improvement in this part of DB2. Well, you probably know what SQLID's you can change to or you can ask someone. The DB2 databaseadministrators are the first to be asked, but they typically don't know anything about the security exits, because they are all SYSADM's and changes the SQLID as they wish. Next one in line is the DB2 systems progammer who made the exit work many years ago. He has left the company or is working with something completely different. Then you can read more about the security exits in the DB2 administration guide.