Program elements carrying annotation of these types can be captured by not only authorization and authentication aspects, but also other implementations such as privacy policy enforcement aspects.

But lots of programmers could know the application's DB2 authorization ID and password-because, as mentioned, these are embedded in program code.

This type of authorization testing might be called fine-grained access control because it is applied by a running program to virtually any type of resource that the program works with.