Managing authorizations for creation of stored procedures in WLM environments

You can group and isolate applications into different WLM environments based on their security requirements. You can then authorize or prevent users from creating stored procedures in a security-sensitive environment.

About this task

Db2 invokes RACF® to determine if users are allowed to create stored procedures in a WLM environment. The WLM ENVIRONMENT keyword on the CREATE PROCEDURE statement identifies the WLM environment to use for running a given stored procedure. Db2 performs a resource authorization check using the DSNR RACF class as follows:

  • In a Db2 data sharing environment, Db2 uses the following RACF resource name:
    db2_groupname.WLMENV.wlm_environment
  • In a non-data sharing environment, Db2 checks the following RACF resource name: 
    db2_subsystem_id.WLMENV.wlm_environment

Attempts fail when unauthorized users try to create or run stored procedures.

Procedure

To manage authorizations for individual users or groups in the creation of stored procedures in a specific WLM environment:

Use RACF commands:
  • To authorize individual users or groups of users to create stored procedures in a specific WLM environment, issue the RACF PERMIT command. For example, you can authorize the user whose ID is DB2USER1 to create stored procedures on the Db2 subsystem DB2A (non-data sharing) in a WLM environment named PAYROLL:
    PERMIT  DB2A.WLMENV.PAYROLL  CLASS(DSNR) ID(DB2USER1)  ACCESS(READ)

    When user ID DB2USER1 attempts to create a stored procedure in the PAYROLL WLM environment, Db2 performs a resource authorization check by using the DSNR RACF class and grants permission.

  • To prevent users on a particular Db2 subsystem from creating stored procedures, issue the RACF DEFINE command. You can also use this command to revoke the default universal access of a WLM environment and set it to NONE,

    For example, you can issue the following command to prevent all users on Db2 subsystem DB2A (non-data sharing) from creating stored procedures or user-defined functions in the WLM environment named PAYROLL:

    RDEFINE DSNR (DB2A.WLMENV.PAYROLL) UACC(NONE)