Converting from Db2 internal security

When you convert from Db2 internal security to the RACF access control module, you do not need to convert protection for every Db2 object.

You can begin using the RACF access control module before defining profiles to protect all Db2 object types. Consider adding the WARNING option of RDEFINE and RALTER commands when you protect Db2 objects. The use of warnings might ease your conversion by allowing you to see ICH408I messages that identify profiles that would fail a request.

Any request to access a Db2 object protected by a RACF profile with the WARNING option is always allowed. If the request would have failed without the WARNING option, an ICH408I message is generated to identify the first profile (in the sequence of RACF authorization checking) that would have failed the request.

Note: When the WARNING option is added to a resource requested by a user with a Db2 administrative authority, such as SYSADM, DBADM, or in some cases SYSCTRL, that would also allow the user to access the object, you can ignore the warning message.

If the RACF access control module determines that there is no administrative authority profile and no profile to protect a particular Db2 object (or the class corresponding to a particular Db2 resource is not active), it defers to Db2 for authority checking.

For example, suppose only the set of RACF profiles to protect Db2 tables has been defined and the classes for all other object types have not been made active. In this case, the RACF access control module performs profile checking for Db2 tables, views, and indexes and it defers to Db2 for authority checking of other object types, such as plans, packages, and databases.

Guideline: All Db2 administrative authorities should be defined with UACC(NONE) before you activate the RACF access control module. You can then selectively authorize specific users at a higher level by executing the PERMIT command.