Example 2: Allowing access (auditing for all attempts)

You can use the RACF access control module to grant access to Db2 objects.

This example shows how the RACF access control module allows access to a Db2 object (a table) based on a Db2 administrative authority profile. Auditing is activated for all access attempts.

In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000.

Setup

Classification model (&CLASSOPT): 2
Class name root (&CLASSNMT): DSN
Class name suffix (&CHAROPT): 1
This is the default value, but it is not used with supplied classes.
Db2 subsystem name: VHH1
Profiles:
- Defined in the MDSNTB class:
  VHH1.BDA0828.EMP.ALTER
  - AUDIT(ALL(READ))
  - UACC(NONE)
  - ID(MIKEJ) ACCESS(NONE)
- Defined in the DSNADM class:
  VHH1.SYSADM
  - AUDIT(ALL(READ))
  - UACC(NONE)
  - ID(MIKEJ) ACCESS(READ)
User ID MIKEJ has SYSADM authority.

Profile checking

RACF checks the following resources:

VHH1.BDA0828.EMP.ALTER in class MDSNTB
Results:
- Access is denied (return code 8).
- No failure message (ICH408I) is issued.
- No audit records are created.
VHH1.JBW2000.DBADM in class DSNADM
Results:
- No profile is found (return code 4).
- No failure message (ICH408I) is issued.
- No audit records are created.
VHH1.SYSADM in class DSNADM
Results:
- Access is granted (return code 0).
- No failure message (ICH408I) is issued.
- An audit record is created, which includes the following log string data:
  - The VHH1.BDA0828.EMP.ALTER profile name
  - Input parameters identifying the request from Db2.

Final result

The RACF access control module sends a return code of 0 to Db2.