Defining classes for the RACF access control module
You can define classes for RACF access control module if you choose not to use the default classes.
Defining classes for the RACF access control module is optional.
When you change the &CLASSOPT or &CLASSNMT assembler
SET symbols from their default values, you must define your own classes
in the RACF class
descriptor table (CDT).
Tip: If you define your classes in the dynamic class descriptor table instead of the static class descriptor, you do not need to re-IPL to activate the new classes.
It is not necessary to define classes for Db2 objects and administrative authorities that are not protected by the RACF access control module.
You can define classes for Db2 objects and you can define classes for administrative authorities.
When using the single-subsystem scope, the RACF access control module builds class names dynamically by concatenating the Db2 subsystem name, or group attachment name, with the object type. As a result, multiple Db2 subsystems can use the same copy of the RACF access control module. However, you must create an installation-defined set of classes for each subsystem.
When using the multiple-subsystem scope,
the RACF access control module builds
class names dynamically by concatenating the &CLASSNMT with
the object type. As a result, any Db2 subsystem
with the same &CLASSNMT can use the same copy
of the RACF access control module.
You can create an installation-defined set of classes for each subsystem
or you can choose to use the supplied classes instead.
Restrictions:
- If you choose to use installation-defined classes, you must use installation-defined classes with all objects for the same copy of the RACF access control module. You cannot mix classes supplied by IBM® and installation-defined classes. To use both types, you must use different versions of the RACF access control module.
- RACF expects that installation-defined classes have the same class descriptor table attributes as the corresponding Db2 classes supplied by IBM.