Defining class names for Db2 administrative authorities in multiple-subsystem scope

You must define administrative authority class names in a specific format when you use the multiple-subsystem scope.

When you select &CLASSOPT 2 or allow it to default, the RACF access control module does not use the Db2 subsystem name or group attachment name in the class name for administrative authorities. Define administrative authority class names in multiple-subsystem scope using this format:

yyyyADMz

where:

yyyy: Is the &CLASSNMT value (the default value is DSN)
ADM: Is the designation for administrative authority classes
z: Is the &CHAROPT value, which is ignored if &CLASSNMT is set to DSN

In multiple-subsystem scope, profile names of resources in the Db2 administrative authority class are prefixed with the Db2 subsystem name, or Db2 group attachment name, but the class names are not. Therefore, installations using multiple-subsystem scope and the default &CLASSNMT value (DSN) can use the default Db2 administrative authority class (DSNADM) provided in the supplied class descriptor table (ICHRRCDX). Any subsystem sharing the RACF access control module can share the same class. A separate class does not need to be defined for each Db2 subsystem.

If you set &CLASSNMT to a value other than DSN, you must define a Db2 administrative authority class in the class descriptor table (CDT).