AUTH EXIT CHECK (AUTHEXIT_CHECK subsystem parameter)
The AUTHEXIT_CHECK subsystem parameter specifies whether the owner or the primary authorization ID is used for authorization checks when the access control authorization exit (DSNX@XAC) is active.
Acceptable values: | PRIMARY, DB2 |
---|---|
Default: | PRIMARY |
Update: | No |
DSNZPxxx: | DSN6SPRM.AUTHEXIT_CHECK |
Data sharing scope: | Group |
Security parameter: | Security-related |
- PRIMARY
- Specifies that Db2 provides the ACEE of the primary authorization ID to perform all authorization checks. The primary authorization ID must be permitted access to the resources in RACF®. This is the default value for the field.
- DB2
- Specifies that Db2 provides the ACEE of
the package or plan owner to perform authorization checking when processing the autobind, BIND and
REBIND commands and, if needed, during the execution of the package or plan. Db2 also provides the ACEE of the
authorization ID, as determined by the DYNAMICRULES option with bind behavior, to perform dynamic
SQL authorization checking at run time. The access control authorization exit uses the ACEE for
XAPLUCHK for authorization checking. The XAPLUCHK authorization ID can be a user or a group in RACF. To ensure successful authorization checks with the owner ACEE, the owner authorization ID in XAPLUCHK must be permitted access to the resources in RACF. If the owner is a group in RACF, you need to permit the group access to the resource associated with the connection in the RACF DSNR class. You can issue the PERMIT command to grant a group access to subsystem.BATCH in the DSNR class, as follows:
PERMIT DSN.BATCH CLASS(DSNR) ID(DB2GRP) ACCESS(READ)