AUTH EXIT CHECK (AUTHEXIT_CHECK subsystem parameter)
The AUTHEXIT_CHECK subsystem parameter specifies whether the owner or the primary authorization ID is used for authorization checks when the access control authorization exit (DSNX@XAC) is active.
| Acceptable values: | PRIMARY, DB2 |
|---|---|
| Default: | PRIMARY |
| Update: | No |
| DSNZPxxx: | DSN6SPRM.AUTHEXIT_CHECK |
| Data sharing scope: | Group |
| Security parameter: | Security-related |
- PRIMARY
- Specifies that Db2 provides the ACEE of the primary authorization ID to perform all authorization checks. The primary authorization ID must be permitted access to the resources in RACF®. This is the default value for the field.
- DB2
- Specifies that Db2 provides the ACEE of the package or plan owner to perform authorization checking when processing the autobind, BIND and REBIND commands and, if needed, during the execution of the package or plan. Db2 also provides the ACEE of the authorization ID as determined by the DYNAMICRULES option to perform dynamic SQL authorization checking at run time. The access control authorization exit uses the ACEE for XAPLUCHK for authorization checking. The XAPLUCHK authorization ID can be a user or a group in RACF. To ensure successful authorization checks with the owner ACEE, the owner authorization ID in XAPLUCHK must be permitted access to the resources in RACF. If the owner is a group in RACF, you need to permit the group access to the resource associated with the connection in the RACF DSNR class. You can issue the PERMIT command to grant a group access to subsystem.BATCH in the DSNR class, as follows:
PERMIT DSN.BATCH CLASS(DSNR) ID(DB2GRP) ACCESS(READ)