（转）SQL1092N "USER" does not have the authority to perform therequested command -

http://dbaspot.com/forums/db2-udb/203214-sql1092n-user-does-not-have-authority-perform-therequested-command.html

SQL1092N "USER" does not have the authority to perform therequested command - db2-udb

This is a discussion on SQL1092N "USER" does not have the authority to perform therequested command - db2-udb ; Hi all, i have a problem with the authority feature on my machine. It keeps on saying i don't have permission to run "CREATE DATABASE" command in db2cmd. I also having permission issue opening control center. Err : SQL1092N "KONGK" ...

Home > Database Forum > Other Databases > db2-udb > SQL1092N "USER" does not have the authority to perform therequested command

Thread Tools

Display Modes

  #1  

 08-03-2007, 02:30 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 SQL1092N "USER" does not have the authority to perform therequested command

---

Hi all, i have a problem with the authority feature on my machine.

It keeps on saying i don't have permission to run "CREATE DATABASE" command in db2cmd. I also having permission issue opening control center.

Err :

SQL1092N "KONGK" does not have the authority to perform the requested
command.

The following is "get dbm cfg" output :

SYSADM group name (SYSADM_GROUP) = DB2ADMNS
SYSCTRL group name (SYSCTRL_GROUP) =
SYSMAINT group name (SYSMAINT_GROUP) =

I am using domain account login to windows. I have already added domain account kongk into local group DB2ADMNS and it is part of local administrator group.

Please help as i cant find any workaround on this.

Info :

DB2 UDB v8.1 for windows
Platform Windows XP Professional Edition


Can someone please advice what should i do to workaround this issue ?

Thanks in advance.

  #2  

 08-03-2007, 07:11 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 Re: SQL1092N "USER" does not have the authority to perform therequested command

---

Hi,

If a user logs on to a domain account and tries to access a DB2 database, DB2 goes to a Domain Controller to enumerate groups (including the Administrator's group). You can change this behavior in either of two ways:

1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
2. Update the database manager configuration file to specify a new group. If you want that group enumerated on the local machine, then you must also set the DB2_GRP_LOOKUP registry variable.

By default in a Windows NT domain environment, only domain users that belong to the Administrators group at the Primary Domain Controller (PDC) have SYSADM authority on an instance. Since DB2 always performs authorization at the machine where the account is defined, adding a domain user to the local Administrators group on the server does not grant the domain user SYSADM authority to the group.

To avoid adding a domain user to the Administrators group at the PDC, you should create a global group and add the users (both domain and local) that you want to grant SYSADM authority. To do this, enter the following commands:

DB2STOP
DB2 UPDATE DBM CFG USING SYSADM_GROUP global_group
DB2START

  #3  

 08-03-2007, 11:48 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 Re: SQL1092N "USER" does not have the authority to perform therequested command

---

hi elza, thanks a lot !!! it works well now. i can create database and open control center now without any problem.

Here is what i did as per your suggestion :

1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
- db2set DB2_GRP_LOOKUP=local ?g
2. create new group ?DB2ADMNS?
3. Add both db2admin user and domain user into DB2ADMNS group
4.Update the database manager configuration file to specify a new group.
Db2 update dbm cfg using sysadm_group DB2ADMNS
5. db2stop
6. db2start

  #4  

 08-04-2007, 10:32 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 Re: SQL1092N "USER" does not have the authority to perform the requestedcommand

---

d9832834@yahoo.com.au wrote:
> hi elza, thanks a lot !!! it works well now. i can create database and open control center now without any problem.
>
> Here is what i did as per your suggestion :
>
> 1. Set the registry variable DB2_GRP_LOOKUP = local and add the domain accounts (or global groups) to the local Administrators group.
> - db2set DB2_GRP_LOOKUP=local ?g
> 2. create new group ?DB2ADMNS?
> 3. Add both db2admin user and domain user into DB2ADMNS group
> 4.Update the database manager configuration file to specify a new group.
> Db2 update dbm cfg using sysadm_group DB2ADMNS
> 5. db2stop
> 6. db2start
>

The only change that you needed to make was #1 (and #5, #6, of course).

Just so you understand, setting DB2_GRP_LOOKUP=local tells DB2 to
enumerate a user's group memberships on the local machine, regardless
of where (i.e. local machine or PDC) the user account was authenticated.

The purpose of this is to allow you to define group memberships in one
location. The default is somewhat confusing, because you can end up
with 2 groups (DOMAIN\group and LOCALMACHINE\group), with different
members ...

  #5  

 08-05-2007, 05:27 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 Re: SQL1092N "USER" does not have the authority to perform therequested<br> command

---

Hi Ian, thanks for your input. I really appreciate 

It works well now in my machine.

  #6  

 09-28-2007, 01:22 AM

Database Administrator  Database Bot

Join Date: Sep 2009 Posts: 1,236,248

 Re: SQL1092N "USER" does not have the authority to perform therequested<br> command

---

I have tried everything in this article and still have the problem. My environment is:
- New to DB2 Express C
- Windows XP SP2
- Signed on as domain user
- My profile is a Domain Admin
- DB2 Express C installed on my local machine
- DB2ADMINS and DB2USER are local groups
- My domain user ID as a member of DBADMINS and DBUSERS
- I did have a local user with the same name as my domain user but I have deleted it as per this article:http://publib.boulder.ibm.com/infoce...c/r0005907.htm
- Stop/Start DB2 after making the change.
- Here are my settings
C:\Program Files\IBM\SQLLIB\BIN>db2set -all
[e] DB2PATH=C:\Program Files\IBM\SQLLIB
[i] DB2_CREATE_DB_ON_PATH=ON
[i] DB2_GRP_LOOKUP=local
[i] DB2INSTPROF=C:\Program Files\IBM\SQLLIB
[i] DB2COMM=TCPIP
[g] DB2_EXTSECURITY=YES
[g] DB2PROCESSORS=0,1
[g] DB2_GRP_LOOKUP=local
[g] DB2SYSTEM=SEDGE
[g] DB2PATH=C:\Program Files\IBM\SQLLIB
[g] DB2INSTDEF=DB2
[g] DB2ADMINSERVER=DB2DAS00

Thanks
Steve

  #7  

 08-17-2010, 11:16 AM

Tiger_trace  Database Newbie

Join Date: Aug 2010 Posts: 1

 Re: SQL1092N "USER" does not have the authority to perform therequested command

---

Hi Steve

I don't know if you eventually found the answer to this...?
After a lot of scratching around and trial & error, I managed to get it to work by doing the following:
1. db2set DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL
2. db2stop
3. db2start

I hope that this helps you.