-551 auth-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation ON OBJECT object-name

Explanation

Authorization IDs or roles were checked for authorization to perform an operation on a Db2 object. None of the authorization IDs or roles were authorized to perform the operation.

auth-id

One of the following values:

• A list of one to three authorization IDs that were checked for authorization to perform the operation
• A role name

operation

The operation for which authorization was checked.

object-name

The name of the object on which the operation was to be performed.

Some of the situations in which this error occurs are:

• For an INSERT, DELETE, or UPDATE statement, the target object is a read-only view.
• For a CREATE TABLE or CREATE VIEW statement, the authorization ID of the user who issues the CREATE statement does not match the schema name of the object that is to be created.

  You can create a table with a schema name that is different from your authorization ID only if your authorization ID has SYSADM, DBADM, or DBCTRL authority. You can create a view from an with a schema name that is different from your authorization ID only if your authorization ID has SYSADM authority.

ROLE: role-name

If you use the RACF® access control module for authorization checking, auth-id might be different from the value that is reported in message ICH408I. The ID that is reported in message ICH408I is the user ID that RACF used to check the privilege.

In addition to the situations mentioned previously, this error can occur for the following situations:

• When operation is GRANT ***, the keyword ALL was used in the GRANT statement, but the grantor auth-id does not have any privilege to grant.
• When operation is GRANT (table or view privileges) and the specified privilege cannot be granted on a view or auxiliary table.
• If operation is DROP PACKAGE, the object-name consists of the collection ID, the package name, and the consistency token. The consistency token uniquely identifies the version of the package that the user does not have authorization to drop.
• If operation is USAGE OF DISTINCT TYPE, USAGE OF USER-DEFINED TYPE, or USAGE OF JAR, the object-name identifies, respectively, the DISTINCT TYPE, USER-DEFINED TYPE, or JAR for which the auth-id lacks USAGE privilege.
• If operation is ALTER JAR, the auth-id lacks ALTERIN privilege on the schema of the JAR object-name.
• If this error occurs while Db2 is creating or altering a table that involves referential constraints, this error message reports that the user does not have the necessary ALTER privilege to perform a FOREIGN KEY, DROP FOREIGN KEY, DROP PRIMARY KEY, or DROP UNIQUE operation. The object-name identifies the object table of the CREATE or ALTER TABLE statement, not the table for which the user lacks the ALTER privilege.
• If this error occurs for a distributed SQL request, one of the following conditions can occur:
  • If authorization ID translation is in effect for either the requesting Db2 site or the serving (responding) Db2 site, then auth-id is the translated authorization ID. Refer to Part 3 (Volume 1) of the Db2 Administration Guide for information on authorization ID translation.
  • If an alias name was used in the SQL statement, the object-name is the resolved remote table name or view name.
• If this error occurs during invocation of a routine, the authorization ID auth-id does not have the EXECUTE privilege on any candidate routine in the SQL path. The variable for object-name is the name of a candidate routine in the SQL path.
• An object does not exist, and the CURRENT RULES special register is set to STD.
• This error might occur for packages that are bound with the DYNAMICRULES(BIND) option when authorization caching, statement caching, or both are enabled and if the following conditions exist:
  • The access control authorization exit routine is active
  • The AUTHEXIT_CHECK subsystem parameter is set to PRIMARY
  • The authorization ID of the process does not have the necessary privileges.
• If the access control authorization exit is active and the AUTHEXIT_CHECK subsystem parameter is set to DB2, this error might occur if ACEE cannot be created for the authorization ID auth-id.
• If operation is CREATE VARIABLE or DROP VARIABLE, the auth-id lacks the necessary privileges to perform this action.
• When operation is CREATE, the OR REPLACE clause was specified, and the object already exists, the user who issues the statement must be the owner of the object that is to be replaced. The security administrator, who holds SECADM authority, can use the TRANSFER OWNERSHIP statement to transfer the ownership of the object, if necessary.
• FL 509 If operation is UPDATE or DELETE and object-name is SYSIBM.SYSAUDITPOLICIES, this error might occur if the auth-id lacks access to the audit policy profile in the RACF DSNR class.