http://dbaspot.com/forums/db2-udb/203214-sql1092n-user-does-not-have-authority-perform-therequested-command.html

SQL1092N "USER" does not have the authority to perform therequested command - db2-udb

This is a discussion on SQL1092N "USER" does not have the authority to perform therequested command - db2-udb ; Hi all, i have a problem with the authority feature on my machine. It keeps on saying i don't have permission to run "CREATE DATABASE" command in db2cmd. I also having permission issue opening control center. Err : SQL1092N "KONGK" ...




Home > Database Forum > Other Databases > db2-udb > SQL1092N "USER" does not have the authority to perform therequested command








Thread Tools 

Display Modes 


  # 1  





  SQL1092N "USER" does not have the authority to perform therequested command







Hi all, i have a problem with the authority feature on my machine.



It keeps on saying i don't have permission to run "CREATE DATABASE" command in db2cmd. I also having permission issue opening control center.



Err :



SQL1092N "KONGK" does not have the authority to perform the requested


command.



The following is "get dbm cfg" output :



SYSADM group name (SYSADM_GROUP) = DB2ADMNS


SYSCTRL group name (SYSCTRL_GROUP) =


SYSMAINT group name (SYSMAINT_GROUP) =



I am using domain account login to windows. I have already added domain account kongk into local group DB2ADMNS and it is part of local administrator group.



Please help as i cant find any workaround on this.



Info :



DB2 UDB v8.1 for windows


Platform Windows XP Professional Edition




Can someone please advice what should i do to workaround this issue ?



Thanks in advance.










  # 2  





  Re: SQL1092N "USER" does not have the authority to perform therequested command



Hi,

If a user logs on to a domain account and tries to access a DB2 database, DB2 goes to a Domain Controller to enumerate groups (including the Administrator's group). You can change this behavior in either of two ways:

1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
2. Update the database manager configuration file to specify a new group. If you want that group enumerated on the local machine, then you must also set the DB2_GRP_LOOKUP registry variable.

By default in a Windows NT domain environment, only domain users that belong to the Administrators group at the Primary Domain Controller (PDC) have SYSADM authority on an instance. Since DB2 always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to the group.

To avoid adding a domain user to the Administrators group at the PDC, you should create a global group and add the users (both domain and local) that you want to grant SYSADM authority. To do this, enter the following commands:

DB2STOP
DB2 UPDATE DBM CFG USING SYSADM_GROUP global_group
DB2START




Database Administrator 


Database Bot

 


Join Date: Sep 2009


Posts: 1,236,248






  # 3  




  Re: SQL1092N "USER" does not have the authority to perform therequested command



hi elza, thanks a lot !!! it works well now. i can create database and open control center now without any problem.

Here is what i did as per your suggestion :

1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
- db2set DB2_GRP_LOOKUP=local ?g
2. create new group ?DB2ADMNS?
3. Add both db2admin user and domain user into DB2ADMNS group
4.Update the database manager configuration file to specify a new group.
Db2 update dbm cfg using sysadm_group DB2ADMNS
5. db2stop
6. db2start




Database Administrator 


Database Bot

 


Join Date: Sep 2009


Posts: 1,236,248






  # 4  




  Re: SQL1092N "USER" does not have the authority to perform the requestedcommand



d9832834@yahoo.com.au wrote:
> hi elza, thanks a lot !!! it works well now. i can create database and open control center now without any problem.
>
> Here is what i did as per your suggestion :
>
> 1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
> - db2set DB2_GRP_LOOKUP=local ?g
> 2. create new group ?DB2ADMNS?
> 3. Add both db2admin user and domain user into DB2ADMNS group
> 4.Update the database manager configuration file to specify a new group.
> Db2 update dbm cfg using sysadm_group DB2ADMNS
> 5. db2stop
> 6. db2start
>

The only change that you needed to make was #1 (and #5, #6, of course).

Just so you understand, setting DB2_GRP_LOOKUP=local tells DB2 to
enumerate a user's group memberships on the local machine, regardless
of where (i.e. local machine or PDC) the user account was authenticated.

The purpose of this is to allow you to define group memberships in one
location. The default is somewhat confusing, because you can end up
with 2 groups (DOMAIN\group and LOCALMACHINE\group), with different
members ...




Database Administrator 


Database Bot

 


Join Date: Sep 2009


Posts: 1,236,248






  # 5  





  Re: SQL1092N "USER" does not have the authority to perform therequested<br> command



Hi Ian, thanks for your input. I really appreciate 



It works well now in my machine.




Database Administrator 


Database Bot

 


Join Date: Sep 2009


Posts: 1,236,248






  # 6  




  Re: SQL1092N "USER" does not have the authority to perform therequested<br> command



I have tried everything in this article and still have the problem. My environment is:
- New to DB2 Express C
- Windows XP SP2
- Signed on as domain user
- My profile is a Domain Admin
- DB2 Express C installed on my local machine
- DB2ADMINS and DB2USER are local groups
- My domain user ID as a member of DBADMINS and DBUSERS
- I did have a local user with the same name as my domain user but I have deleted it as per this article: http://publib.boulder.ibm.com/infoce...c/r0005907.htm
- Stop/Start DB2 after making the change.
- Here are my settings
C:\Program Files\IBM\SQLLIB\BIN>db2set -all
[e] DB2PATH=C:\Program Files\IBM\SQLLIB
[i] DB2_CREATE_DB_ON_PATH=ON
[i] DB2_GRP_LOOKUP=local
[i] DB2INSTPROF=C:\Program Files\IBM\SQLLIB
[i] DB2COMM=TCPIP
[g] DB2_EXTSECURITY=YES
[g] DB2PROCESSORS=0,1
[g] DB2_GRP_LOOKUP=local
[g] DB2SYSTEM=SEDGE
[g] DB2PATH=C:\Program Files\IBM\SQLLIB
[g] DB2INSTDEF=DB2
[g] DB2ADMINSERVER=DB2DAS00

Thanks
Steve




Database Administrator 


Database Bot

 


Join Date: Sep 2009


Posts: 1,236,248






  # 7  




  Re: SQL1092N "USER" does not have the authority to perform therequested command



Hi Steve

I don't know if you eventually found the answer to this...?
After a lot of scratching around and trial & error, I managed to get it to work by doing the following:
1. db2set DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL
2. db2stop
3. db2start

I hope that this helps you.




Tiger_trace 


Database Newbie

 


Join Date: Aug 2010


Posts: 1