Privilege names

The RACF access control module constructs the Db2 resource name using the Db2 privilege name as the lowest-level qualifier (RACF profile-name suffix) in the resource name.

Each explicit privilege used as a low-level qualifier corresponds to one of the explicit privilege names that Db2 uses for a particular object. For a complete reference of all valid privilege names that can be used in a resource name for each Db2 object, see the tables in RACF authorization checking reference.

Tip: You can authorize a user for one or more privileges on a Db2 object by defining a generic RACF profile using an asterisk (*) in place of the privilege name and then permitting the user to the generic profile. However, if a more specific generic profile or a discrete profile also protect the same privilege or set of privileges, RACF will use those profiles to control access rather than the less specific generic profile.

See Db2 GRANT statements for an example of using a generic character in place of the privilege name. (In contrast with SQL, in RACF a single asterisk (*) matches characters within the scope of a single qualifier.)