EXECUTE AS USER in DB2

Question

We are trying to debug a very old web application that uses DB2.

I would like to run a trace to see what happens when I click on a button but as soon as I try I receive this error:

create event monitor ........ for statement where AUTH_ID='.......' write to table
"USER" does not have privilege to perform operation "CREATE EVENT MONITOR".. SQLCODE=-552, SQLSTATE=42502,

Is evident to me that our user doesn't has enough privilege to run a trace.

In T-SQL there is a way to impersonate another user:

USE AdventureWorks2019
GO
EXECUTE AS USER = 'Test';
SELECT * FROM Customer;
REVERT;

I would like to know if there is the same command in DB2.

The goal is to try to run something like SQL Server Profiler for DB2 and sniff the queries.

Yes, I already tried to run GRANT DBADM ON DATABASE TO USER E.....O and of course the system replied:

"E.....O" does not have the privilege to perform operation "GRANT".. SQLCODE=-552, SQLSTATE=42502, DRIVER=3.69.56

We are stuck and we cannot move because we cannot know how the queries work. Asking more privileges to our user is not an option as we are migrating a customer from a competitor to our side.

What I'm trying to do is a sort of privilege escalation without committing any crime.

I also taught about connecting to the DB2 database from SQL Server and use PolyBase but as far as I know such feature only allows me to query and I cannot sniff the parameters.

Answer 1

Db2 has a couple of ways to "impersonate", but all within the security architecture and fully audited.

• I would recommend checking out "Trusted Context", basically adding privileges or switching roles based on predefined connection properties.
• Another option is to look into SET SESSION AUTHORIZATION (also known as SET SESSION_USER). It switches the SESSION_USER to a different user ID.

As said, that works with the proper privileges and the security admin involved.

Depending on what you want to inspect, db2trc and other command could be of use, too.