Chapter 8. Network trusted contexts and roles 205
5. If the primary authid is not allowed to use the trusted connection or if
SECURITY LABEL verification fails, the connection is returned to an
unconnected state.
8.3 Roles
DB2 extends the trusted context concept to optionally assign a default role to a
trusted context and optionally assign a role to a user of the context.
Roles provide a more flexible technique than groups or users in assigning and
controlling authorization, while improving consistency with the industry and
improving security.
A database role is a virtual authorization ID that is assigned to an authid through
an established trusted connection.
Within a trusted connection, DB2 allows one and only one role to be associated
with a thread at any point in time.
A role is a database entity to which one or more DB2 privileges can be granted to
or revoked from. Roles provide a means to acquire context-specific privileges.
A trusted context definition specifies one or more authids that are allowed to use
it. As part of “allowing” an authid to use the context, you can also assign a role for
each authid. A trusted context can be defined with or without a default role and
with or without any assigned roles.
Any authorization ID using the trusted context can inherit a role assigned to its
authid as part of the definition of the trusted context. If there was no role
associated with that authid within this context, this authid inherits the privileges of
the default role if one was defined for this context. Otherwise, the authid can only
exercise all privileges that it had prior to initiating the connection (privileges
granted in the usual manner and not through a role). An example of the benefits
of a trusted context without roles is in 8.10.1, “Already verified DRDA requests
into a DB2 server” on page 218.
If there is a default role and an assigned role, the authid’s assigned role takes
precedence and the default role does not apply.
Multiple users can be allowed to use a particular trusted context. A user can be
allowed to use multiple trusted contexts.
To support roles in a trusted context, DB2 extends the GRANT and REVOKE
statements to add roles to the list of authorization names to which privileges are

Get Securing DB2 and Implementing MLS on z/OS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.