IBM DB2 Manual page 479

6. A user with authority to bind packages on the bind-and-run system runs the
db2sqljbind command on the customized serialized profiles that were copied
from the customization-only system.
v Use a stored procedure to do customization: Write a Java stored procedure that
customizes serialized profiles and binds packages for SQLJ applications on
behalf of the end user. This Java stored procedure needs to use a JDBC driver
package that was bound with one of the DYNAMICRULES options that causes
dynamic SQL to be performed under a different user ID from the end user's
authorization ID. For example, you might use the DYNAMICRULES option
DEFINEBIND or DEFINERUN to execute dynamic SQL under the authorization
ID of the creator of the Java stored procedure. You need to grant EXECUTE
authority on the stored procedure to users who need to do SQLJ customization.
The stored does the following things:
1. Receives the compiled SQLJ program and serialized profiles in BLOB input
parameters
2. Copies the input parameters to its file system
3. Runs db2sqljcustomize to customize the serialized profiles and bind the
packages for the SQLJ program
4. Returns the customized serialized profiles in output parameters
v Use a stand-alone program to do customization: This technique involves
writing a program that performs the same steps as a Java stored procedure that
customizes serialized profiles and binds packages for SQLJ applications on
behalf of the end user. However, instead of running the program as a stored
procedure, you run the program as a stand-alone program under a library
server.
Restricting table access during customization
When you customize serialized profiles, you should do online checking, to give the
application program information about the data types and lengths of table columns
that the program accesses. By default, customization includes online checking.
Online checking requires that the user who customizes a serialized profile has
authorization to execute PREPARE and DESCRIBE statements against SQL
statements in the SQLJ program. That authorization includes the SELECT privilege
on tables and views that are accessed by the SQL statements. If SQL statements
contain unqualified table names, the qualifier that is used during online checking
is the value of the db2sqljcustomize -qualifier parameter. Therefore, for online
checking of tables and views with unqualified names in an SQLJ application, you
can grant the SELECT privilege only on tables and views with a qualifier that
matches the value of the -qualifier parameter.
Related reference
"db2sqljcustomize - SQLJ profile customizer" on page 395
Chapter 10. Security under the IBM Data Server Driver for JDBC and SQLJ
463