Db2 processing of ENF signals

When the AUTHEXIT_CACHEREFRESH system parameter is set to ALL and when Db2 and the access control authorization exit are active, Db2 listens to type 62, type 71, and type 79 ENF signals from RACF® for any user profile or resource access changes. If Db2 receives ENF 62, 71, and 79 signals, it refreshes the cache entries of the package authorization, the routine authorization, the DDF user authentication, and the dynamic statement.

Begin program-specific programming interface information.RACF issues the ENF 71 signal for any change to a RACF user or group profile. Db2 listens to the ENF 71 signal when you use the following RACF commands or macros:

  • ALTUSER command with the REVOKE option
  • CONNECT command with the REVOKE option
  • DELUSER command (to delete a user from RACF)
  • DELGROUP command (to delete a group and its relationship with its parent group from RACF)
  • REMOVE command (to remove a user from a group)
  • Start of changeRACROUTE REQUEST=VERIFY macro (to revoke a user due to excessive invalid password attempts)End of change

RACF issues the ENF 79 signal for any change to a RACF user's or group's authorization to resources. Db2 listens to the ENF 79 signal when you use the following RACF commands:

  • PERMIT with the DELETE, ACCESS(NONE), RESET, or WHEN(CRITERIA(SQLROLE …)) option
  • RALTER with the UACC(NONE) or DELMEM option
  • RDELETE

When the ENF 79 signal is issued, Db2 caches the resource changes first and refreshes the cache entries only after the SETROPTS RACLIST REFRESH command is issued. RACF issues the ENF 62 signal when the SETROPTS RACLIST REFRESH command is used. Upon receiving the ENF 62 signal, Db2 refreshes the cache entries for the resources that are cached during ENF 79 notification. However, Db2 does not refresh the cache entries when the RDELETE command is used to delete general resource profiles for DSNADM and MDSNSM/GDSNSM classes without a profile name.

The ENF 79 signal is issued only for resource classes that are defined in the RACF Class Descriptor Table with the SIGNAL=YES option. The SIGNAL=YES option is enabled, by default, for the following IBM®-supplied RACF resource classes for Db2:

  • MDSNPK / GDSNPK
  • MDSNTB / GDSNTB
  • MDSNSP / GDSNSP
  • MDSNSQ / GDSNSQ
  • DSNADM and MDSNSM / GDSNSM
  • MDSNUF / GDSNUF
  • MDSNGV / GDSNGV

If you define RACF classes for Db2 objects and administrative authorities without using IBM-supplied RACF resource classes, you need to enable the SIGNAL=YES option for these classes in the RACF Class Descriptor Table. Class names for Db2 objects in both single-subsystem scope and multiple-subsystem scope are supported.

Profile names with discrete and generic resource characters are supported with the following restrictions:

  • Generic character ampersand (&) indicates that RACF uses a profile in the RACFVARS class to determine the actual values for that part of the profile name. Db2 ignores a RACF profile that contains the & character and does not perform cache refresh for the profile.
  • Generic character % is not supported in the privilege part of the profile name for cache refresh. Db2 ignores a RACF profile that contains the % character in the privilege part and does not perform cache refresh for the profile.
  • If a profile name for classes other than DSNADM contains generic character * or ** and has parts few than what the CLASS parameter supports, all objects or all privileges or both for the specified CLASS parameter may be considered for cache refresh. For example, if you issue the PERMIT SYS1.** ID(USER01) DELETE CLASS(MDSNPK) command, Db2 deletes the entries in the package authorization cache for user USER01. If you issue the PERMIT SYS1.**.GV* ID(*) DELETE CLASS(MDSNGV) command, Db2 deletes the entries in the dynamic statement cache for object type global variables where the schema name starts with GV. If you issue the PERMIT SYS1.TSCH.**.VNAM.* ID(USER03) DELETE CLASS(MDSNTB) command, Db2 deletes the entries in the dynamic statement cache for object type table where the schema is TSCH for user USER03. It also deletes the entries where the schema is VNAM for user USER03.
  • The generic character * is not supported when it is specified as an authorization ID in ID(*) for revoking the DSNADM class authority or the MDSNSM class for the SQLADM authority. Db2 ignores the authorization ID and does not perform cache refresh for the authorization ID. When ID(authorization-id) is specified, Db2 deletes all the entries in the caches for the specified authorization ID.
Start of changeDb2 caches the RACF group in the following cases, when subsystem parameter AUTHEXIT_CHECK is set to DB2:
  • For dynamic SQL statements, when the package owner is a RACF group, and the DYNAMICRULES bind option is set to a value that results in bind behavior.
  • When the plan owner for a package that has the EXECUTE privilege is a RACF group.
End of change

Start of changeIn all other cases, Db2 caches the primary authorization ID that is associated with the RACF group when access is allowed from the group. If a privilege is revoked from the group, Db2 might not delete the cache entries for all users that are associated with the group. You need to explicitly permit the required privilege to users that are associated with the group, and then delete the permissions in RACF.End of change

Start of changeEnd program-specific programming interface information.End of change