Setting up profiles for Db2 roles
You can use Db2 roles with the RACF access control module.
About this task
Before you can use Db2 roles with the RACF access control module, the security administrator must define RACF profiles to give users access to RACF-protected resources when they are using a role. For example, suppose that you have defined a Db2 trusted context and associated the role TELLER with it. The user ID RANDY is authorized to use the trusted context. You want Randy to have READ access to the resource DSN.PEGGY.TAB.ALTER when he is using the role TELLER.
- Assume that the RACF access control module is configured for multiple subsystem scope. Give RANDY READ authority to the resource DSN.PEGGY.TAB.ALTER when he is using the role TELLER:
The case of the criteria value (TELLER) is important - it must be entered as it will appear in the CRITERIA parameter of RACROUTE REQUEST=FASTAUTH.RDEFINE MDSNTB DSN.PEGGY.TAB.ALTER UACC(NONE) PERMIT DSN.PEGGY.TAB.ALTER CLASS(MDSNTB) ID(RANDY) ACCESS(READ) WHEN(CRITERIA(SQLROLE(TELLER))) - Make your resource changes take effect:
- If the class in which you defined the profile is active, refresh the in-storage profiles with your changes:
SETROPTS RACLIST(MDSNTB) REFRESH - If the class in which you defined the profile is not active, stop the Db2 subsystem, activate and RACLIST the class, and restart the Db2 subsystem.
- If the class in which you defined the profile is active, refresh the in-storage profiles with your changes: