Properties of RRSAF connections

RRSAF enables programs to communicate with Db2 to process SQL statements, commands, or IFI calls.

Restriction: Do not mix RRSAF connections with other connection types in a single address space. The first connection that is made from an address space to Db2 determines the type of connection allowed.

The connection that RRSAF makes with Db2 has the basic properties that are listed in the following table.

Table 1. Properties of RRSAF connections
Property Value Comments
Connection name RRSAF You can use the DISPLAY THREAD command to list RRSAF applications that have the connection name RRSAF.
Connection type RRSAF None.
Authorization ID Authorization IDs that are associated with each Db2 connection A connection must have a primary ID and can have one or more secondary IDs. Those identifiers are used for the following purposes:
  • Validating access to Db2
  • Checking privileges on Db2 objects
  • Assigning ownership of Db2 objects
  • Identifying the user of a connection for audit, performance, and accounting traces.

RRSAF relies on the z/OS® System Authorization Facility (SAF) and a security product, such as RACF®, to verify and authorize the authorization IDs. An application that connects to Db2 through RRSAF must pass those identifiers to SAF for verification and authorization checking. RRSAF retrieves the identifiers from SAF.

A location can provide an authorization exit routine for a Db2 connection to change the authorization IDs and to indicate whether the connection is allowed. The actual values that are assigned to the primary and secondary authorization IDs can differ from the values that are provided by a SIGNON or AUTH SIGNON request. A site's Db2 signon exit routine can access the primary and secondary authorization IDs and can modify the IDs to satisfy the site's security requirements. The exit routine can also indicate whether the signon request should be accepted.
Scope RRSAF processes connections as if each task is entirely isolated. When a task requests a function, RRSAF passes the function to Db2, regardless of the connection status of other tasks in the address space. However, the application program and the Db2 subsystem have access to the connection status of multiple tasks in an address space. None.

If an application that is connected to Db2 through RRSAF terminates normally before the TERMINATE THREAD or TERMINATE IDENTIFY functions deallocate the plan, RRS commits any changes made after the last commit point. If the application terminates abnormally before the TERMINATE THREAD or TERMINATE IDENTIFY functions deallocate the plan, z/OS RRS rolls back any changes made after the last commit point. In either case, Db2 deallocates the plan, if necessary, and terminates the application's connection.

If Db2 abends while an application is running, Db2 rolls back changes to the last commit point. If Db2 terminates while processing a commit request, Db2 either commits or rolls back any changes at the next restart. The action taken depends on the state of the commit request when Db2 terminates.