When we get -551 in the SQLCODE then there is some privilege level issue. It signifies that the user does not have access to the database/tablespace/view/table that he is trying to access. As per the IBM documentation -551 SQLCODE states that.
-551 auth-id DOES NOT HAVE THE PRIVILEGE TO PERFORM OPERATION operation ON OBJECT object-name
There are DCL (Data control language) statements which are used by DBAs in order to control the access on DB2 objects. We can raise a request with DBA to provide access to the particular object for which user is getting -551 SQLCODE.
Following DCL statement will give access to user id Z5564 to execute PLAN ORDERPLAN:
GRANT EXECUTE ON PLAN ORDERPLAN TO Z5564
In a practical scenario, the access on DB2 objects such as PLAN, TABLES, VIEWS, etc., is given at RACF level rather than at user level. RACF stands for Resource Access Control Facility which is a Z/OS security management product used for providing access control and auditing purposes.
The RACF contains its own database having different RACF groups. Each user in the mainframe will be assigned to a RACF group.
For example, there are 3 departments in an organization: SALES, MARKETING, WARRANTY. So, 3 RACF groups can be created for each department and each RACF group has employee user ids for respective employees. The access to DB2 can be given based on RACF groups. So the SALES group can have access to ORDERS, TRANSACTIONS table. The MARKETING group can have access to DEALERS and INCENTIVE table and WARRANTY group can have access to PRODUCTS and VENDORS table.
If the user from one RACF group will try to access the table assigned for a different group, then the user will get -551 DB2 error code.