Example 5: Deferring to Db2 (missing ACEE)
The RACF access control module can defer to native Db2 authorization checking for a missing ACEE.
This example shows how the RACF access control module defers to native Db2 authorization checking because no ACEE was passed in.
In this example, user ID MIKEJ is trying to alter a table called BDA0828.EMP in database JBW2000. MIKEJ is connecting through CICS.
Setup
- Classification model (
&CLASSOPT):2 - Class name root (
&CLASSNMT):DSN - Class name suffix (
&CHAROPT):1This is the default value, but it is not used with supplied classes.
- Db2 subsystem name:
VHH1 - Profiles:
- Defined in the MDSNTB class:
VHH1.BDA0828.EMP.SELECT
- Defined in the MDSNTB class:
- User ID MIKEJ has SELECT privilege on the BDA0828.EMP table.
- CICS is setup without using external security (for example, SEC=NO is specified in the DFHSIT), so CICS does not pass an ACEE to the CICS attachment facility. When Db2 does not have an ACEE, it passes zeros in the XAPLACEE field.
Profile checking
Although a profile permitting MIKEJ to perform a select on a table BDA0828.EMP is defined and valid, because an ACEE was not provided to RACF, the profile is not considered.
Final result
The RACF access control module sends a return code of 4 with reason code 11 to Db2.
