Alternate authorization mechanism flag for the enhanced host based authentication (HBA2) MPM

The HBA2 mechanism supports the use of an alternate authorization mechanism through the z instruction flag.

This feature is described in Understanding alternate authorization mechanisms. The default cluster security services library configuration enables this feature for the HBA2 MPM, specifying the HBA MPM as the mechanism to use for authorizing HBA2 authenticated clients.

Only the HBA MPM (known by the unix mnemonic) may be employed as an alternate authorization mechanism for the HBA2 MPM. No other MPM is supported in this capacity.

The HBA2 MPM does provide authorization features and, if desired, the use of the HBA MPM as the authorization mechanism can be removed. Before taking such action, cluster administrators must ensure that access controls throughout the cluster have been modified to allow HBA2 MPM clients to access resources. Once the alternate authorization mechanism is disabled, all clients authenticated using the HBA2 MPM will no longer be considered to be HBA MPM (unix) identities during authorization checks. For more information about authorization, see Cluster security services authorization concepts.