diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc
index 5e621bf4419..8552b1c2b8a 100644
--- a/libmysqld/lib_sql.cc
+++ b/libmysqld/lib_sql.cc
@@ -514,8 +514,8 @@ void *create_embedded_thd(int client_flag, char *db)
   thd->db= db;
   thd->db_length= db ? strip_sp(db) : 0;
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  thd->db_access= DB_ACLS;
-  thd->master_access= ~NO_ACCESS;
+  thd->security_ctx->db_access= DB_ACLS;
+  thd->security_ctx->master_access= ~NO_ACCESS;
 #endif
   thd->net.query_cache_query= 0;
 
@@ -542,26 +542,27 @@ int check_embedded_connection(MYSQL *mysql)
 int check_embedded_connection(MYSQL *mysql)
 {
   THD *thd= (THD*)mysql->thd;
+  Security_context *sctx= thd->security_ctx;
   int result;
   char scramble_buff[SCRAMBLE_LENGTH];
   int passwd_len;
 
   if (mysql->options.client_ip)
   {
-    thd->host= my_strdup(mysql->options.client_ip, MYF(0));
-    thd->ip= my_strdup(thd->host, MYF(0));
+    sctx->host= my_strdup(mysql->options.client_ip, MYF(0));
+    sctx->ip= my_strdup(sctx->host, MYF(0));
   }
   else
-    thd->host= (char*)my_localhost;
-  thd->host_or_ip= thd->host;
+    sctx->host= (char*)my_localhost;
+  sctx->host_or_ip= sctx->host;
 
-  if (acl_check_host(thd->host,thd->ip))
+  if (acl_check_host(sctx->host, sctx->ip))
   {
     result= ER_HOST_NOT_PRIVILEGED;
     goto err;
   }
 
-  thd->user= my_strdup(mysql->user, MYF(0));
+  sctx->user= my_strdup(mysql->user, MYF(0));
   if (mysql->passwd && mysql->passwd[0])
   {
     memset(thd->scramble, 55, SCRAMBLE_LENGTH); // dummy scramble
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index bb182232e0d..771cb93ed9c 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -693,8 +693,8 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
   SYNOPSIS
     acl_getroot()
     thd         thread handle. If all checks are OK,
-                thd->priv_user, thd->master_access are updated.
-                thd->host, thd->ip, thd->user are used for checks.
+                thd->security_ctx->priv_user/master_access are updated.
+                thd->security_ctx->host/ip/user are used for checks.
     mqh         user resources; on success mqh is reset, else
                 unchanged
     passwd      scrambled & crypted password, received from client
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index a5faff5cf61..46740460526 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -246,7 +246,7 @@ end:
 
   SYNOPSIS
     check_user()
-    thd          thread handle, thd->{host,user,ip} are used
+    thd          thread handle, thd->security_ctx->{host,user,ip} are used
     command      originator of the check: now check_user is called
                  during connect and change user procedures; used for 
                  logging.
@@ -261,8 +261,8 @@ end:
     are 'IN'.
 
   RETURN VALUE
-    0  OK; thd->user, thd->master_access, thd->priv_user, thd->db and
-       thd->db_access are updated; OK is sent to client;
+    0  OK; thd->security_ctx->user/master_access/priv_user/db_access and
+       thd->db are updated; OK is sent to client;
    -1  access denied or handshake error; error is sent to client;
    >0  error, not sent to client
 */