Naming protected access profiles

Each profile has a name of the form subsystem.environment, where:

• subsystem is the name of a Db2 subsystem, of one to four characters; for example, DSN or DB2T.
• environment denotes the environment, by one of the following terms:
  • MASS for IMS (including MPP, BMP, Fast Path, and DL/I batch).
  • SASS for CICS.
  • DIST for DDF.
  • RRSAF for Resource Recovery Services attachment facility. Stored procedures use RRSAF in WLM-established address spaces.
  • REST for Db2 REST services.
  • ACCEL for IBM Integrated Synchronization access by IBM® Db2 Analytics Accelerator for z/OS® or by IBM Db2 for z/OS Data Gate.
  • BATCH for all others, including TSO, CAF, and utilities.

To control access, you need to define a profile, as a member of class DSNR, for every combination of subsystem and environment you want to use. For example, suppose that you want to access:

• Subsystem DSN from TSO and DDF
• Subsystem DB2P from TSO, DDF, IMS, and RRSAF
• Subsystem DB2T from TSO, DDF, CICS, RRSAF, and Db2 REST services

Then define the profiles with the following names:

DSN.BATCH   DSN.DIST
DB2P.BATCH  DB2P.DIST  DB2P.MASS  DB2P.RRSAF
DB2T.BATCH  DB2T.DIST  DB2T.SASS  DB2T.RRSAF  DB2T.REST

You can do that with a single RACF command, which also names an owner for the resources:

RDEFINE DSNR (DSN.BATCH  DSN.DIST  DB2P.BATCH  DB2P.DIST  DB2P.MASS DB2P.RRSAF
              DB2T.BATCH DB2T.DIST DB2T.SASS DB2T.RRSAF DB2T.REST)  OWNER(DB2OWNER)

In order to access a subsystem in a particular environment, a user must be on the access list of the corresponding profile. You add users to the access list by using the RACF PERMIT command. If you do not want to limit access to particular users or groups, you can give universal access to a profile with a command like this:

RDEFINE DSNR (DSN.BATCH) OWNER(DB2OWNER) UACC(READ)