Defining class names for Db2 administrative authorities in single-subsystem scope

When you select &CLASSOPT 1, the RACF access control module places the Db2 subsystem name, or group attachment name, in the administrative authority class name.

Define administrative authority class names in single-subsystem scope using this format:

yyyyADMz

where:

yyyy: Is the Db2 subsystem name or, if data sharing, the Db2 group attachment name (from XAPLGPAT)
ADM: Is the designation for administrative authority classes
z: Is the &CHAROPT value (the default value is 1)

In single-subsystem scope, the class names of the Db2 administrative authority classes contain the Db2 subsystem name, or Db2 group attachment name, but the profile names of resources in those classes do not. Therefore, in single-subsystem scope, you must define a separate class name for each subsystem that uses the RACF access control module.

When you select single-subsystem scope, you cannot use the Db2 administrative authority class called DSNADM that is provided in the supplied class descriptor table (ICHRRCDX). You must define your own class in the class descriptor table (CDT), unless you use the default Db2 subsystem name DSN and have altered the &CHAROPT variable in the RACF access control module to be a blank character (' '). However, in single-subsystem scope, you must still define a separate class name for every other subsystem that shares the RACF access control module.