Granting users and groups access

You can use the PERMIT command to grant users or groups access to resources in class DSNR.

About this task

Suppose that the DB2OWNER group in the following example is authorized for class DSNR, owns the profiles, and has the right to change them. You can issue the following commands to authorize the DB2USER members, the system administrators, and operators to be TSO users.

These users can run batch jobs and Db2 utilities on the three systems: DSN, DB2P, and DB2T. The ACCESS(READ) operand allows use of Db2 without the ability to manipulate profiles. 
PERMIT  DSN.BATCH  CLASS(DSNR) ID(DB2USER)  ACCESS(READ)
PERMIT  DB2P.BATCH CLASS(DSNR) ID(DB2USER)  ACCESS(READ)
PERMIT  DB2T.BATCH CLASS(DSNR) ID(DB2USER)  ACCESS(READ)

Defining profiles for IMS and CICS®: You want the IDs for attaching systems to use the appropriate access profile. For example, to let the IMS user ID use the access profile for IMS on system DB2P, issue the following RACF® command: 

PERMIT  DB2P.MASS  CLASS(DSNR) ID(IMS)  ACCESS(READ)

To let the CICS group ID use the access profile for CICS on system DB2T, issue the following RACF command: 

PERMIT  DB2T.SASS   CLASS(DSNR) ID(CICSGRP)  ACCESS(READ)

Providing installation authorities to default IDs: When Db2 is installed, IDs are named to have special authorities—one or two IDs for SYSADM and one or two IDs for SYSOPR. Those IDs can be connected to the group DB2USER; if they are not, you need to give them access. The next command permits the default IDs for the SYSADM and SYSOPR authorities to use subsystem DSN through TSO: 

PERMIT  DSN.BATCH  CLASS(DSNR) ID(SYSADM,SYSOPR) ACCESS(READ)

Using secondary IDs: You can use secondary authorization IDs to define a RACF group. After you define the RACF group, you can assign privileges to it that are shared by multiple primary IDs. For example, suppose that DB2OWNER wants to create a group GROUP1 and to give the ID USER1 administrative authority over the group. USER1 should be able to connect other existing users to the group. To create the group, DB2OWNER issues this RACF command: 

ADDGROUP  GROUP1  OWNER(USER1) DATA('GROUP FOR DEPT. G1')

To let the group connect to the DSN system through TSO, DB2OWNER issues this RACF command: 

PERMIT DSN.BATCH CLASS(DSNR) ID(GROUP1) ACCESS(READ)

USER1 can now connect other existing IDs to the group GROUP1 by using the RACF CONNECT command: 

CONNECT (USER2 EPSILON1 EPSILON2) GROUP(GROUP1)

If you add or update secondary IDs for CICS transactions, you must start and stop the CICS attachment facility to ensure that all threads sign on and get the correct security information.

Allowing users to create data sets: You can use RACF to protect the data sets that store Db2 data. If you use the approach and when you create a new group of Db2 users, you might want to connect it to a group that can create data sets. To allow USER1 to create and control data sets, DB2OWNER creates a generic profile and permits complete control to USER1 and to the four administrators. The SYSDSP parameter also gives control to Db2. 

ADDSD  'DSNC112.DSNDBC.ST*' UACC(NONE)
 
PERMIT 'DSNC112.DSNDBC.ST*'
       ID(USER1 SYSDSP SYSAD1 SYSAD2 SYSOP1 SYSOP2) ACCESS(ALTER)