Discretionary access control in Db2

Discretionary access control is defined for Db2 objects.

Each Db2 command, utility, and SQL statement is associated with a set of privileges, authorities, or both. Authority control is performed with the support of the RACF® access control module. Db2 authority checking ensures that Db2 objects map to RACF objects such that the following statements are all true:

Db2 object types map to RACF class names.
Db2 privileges map to RACF resource names for Db2 objects.
Db2 authorities map to the RACF administrative authority class (DSNADM) and to the RACF resource.
Db2 security rules map to RACF profiles.

Rows are not objects that are subject to discretionary access control on their own. Discretionary access control is at the granularity of a table or a column.

When the system is configured with the RACF MLS option not active, access to Db2 objects, privileges, or administrative authorities is allowed if the user or group that is requesting access is in the access list of the RACF profile that is protecting the object, privilege, or authority with at least READ access.

If the system is configured with the RACF MLS option active, the level of access that is required is UPDATE rather than READ. Use of UPDATE access, regardless of the configuration, rather than READ access in one configuration and UPDATE access in another configuration has no effect on access protection and eases administration.